04-30-2010 06:26 AM
I have 2 asa5505's. I have created a site to site vpn tunnel using two local networks. (ex. 192.168.1.0 & 192.1689.2.0).
I then tried to make another set of local ip's (ex. 192.168.3.0 & 192.168.4.0) use the same tunnel group, same external endpoints. One set of ip's is for data and the other for ip phones. Vlan 1 is not being used, vlan 2 is inside interface, vlan 3 is outside interface, and vlan 4 is the 2nd interface named phones. The first data networks are working fine, but the phones ip data is not flowing. I can not ping the other side. I set vlan 4 to not foward to interface vlan 2 and set the security to 100 on both ends. These are two independent local networks that don't need to talk to each other. Is there a reason anyone can think of why this wouldn't work?
Solved! Go to Solution.
05-10-2010 08:33 PM
Configuration looks correct on both sides of the ASA.
Can you please advise what ip address you are trying to ping from and to from the 10.1.5.0/24 and 10.4.5.0/24 subnets?
If you are trying to ping, please also add the following icmp inspection on both ASA:
policy-map global_policy
class inspection_default
inspect icmp
After you ping from the phones subnet, please kindly grab the output of:
show crypto ipsec sa
05-11-2010 06:09 PM
Hi, I have the same problem with two cisco asa5505.
I already have a VPN working between siteA and siteB. Now the customer ask me to connect the IP PBX together, the I created a VLAN 10 at both sides.
At site A 172.18.100.0 and at site B 172.18.101.0, I created the ACL for that address under the ACL of the data, only I adde the line but is not working,
when I tried to ping from the site B when I am at the config terminal at the ASA, and I pingto the eth port of the remote site I didn't received response. Is the same problem at the both directions.
05-11-2010 08:50 PM
Hi Yuri, sorry packet-tracert command is as follows, misplace the sequence numbers:
packet-tracer input VoIP icmp 172.18.100.1 2 2 172.18.101.1 detail
05-11-2010 07:19 PM
Hello Yuri, sorry for my English.
I see only two problems with the site A:
This access-list:
access-list outside_nat0_outbound extended permit ip interface VoIP 172.18.101.0 255.255.255.0
This allows only the traffic from the interface and not from the voice device.
2) why you placed the Nat0 here "nat (outside) 0 access-list outside_nat0_outbound"
the Nat0 should go only to the VoIP interface.
On the site B see everything properly configured in the A should be of the form:
access-list outside_nat0_outbound extended permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0
nat (VoIP) 0 access-list outside_nat0_outbound
access-list outside_100_cryptomap extended permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0 (is good)
These lines are not applied in any place:
access-list nonatVoIP extended permit ip host 192.168.8.133 10.0.5.0 255.255.255.0
access-list nonatVoIP extended permit ip host 192.168.8.133 host 10.0.5.7
access-list nonatVoIP extended permit ip any 192.168.8.0 255.255.255.0
You can try the command
packet-tracer input VoIP icmp 172.18.100.1 0 0 172.18.101.1 detail
and place the results here?
I hope to be of help to you.
05-12-2010 08:31 AM
Thank you, let me try that.
05-12-2010 05:37 PM
Hello Yuri, a suggestion that those conducting the tests. The ping must do so from an internal device, to make ping "eppacurie (config) # ping 172.18.101.100" the ASA sends the IP packet with the source IP of the OUTSIDE interface and no response the other site. The suggestion is: Put a laptop in the VoIP segment with a valid IP 172.18.100.X and leaves a permanent ping: ping 172.18.100.X -t . Then go to the ASA and the command "show crypto ipsec sa" you should see if there is "match" in traffic, for example:
SITE A:
show crypto ipsec sa
interface: outside
Crypto map tag: VPNMAP, seq num: 36, local addr: 200.44.188.130
access-list outside_100_cryptomap permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0
local ident (addr/mask/prot/port): (172.18.100.0 255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.18.101.0/255.255.255.0/0/0)
current_peer: 12.132.144.202
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10 (These are the packages that you send from your laptop)
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 (These are the packages you receive from a remote network)
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10 , #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 66.194.160.10, remote crypto endpt.: 12.132.144.202
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 77F9B42B (This is different according to your connection)
At the other ASA should see more or less the same, but if you must display packets encrypted and decrypted. More or less the same amount on both sides
INSIDE interface usually does not answer PING, I suggest you put a PC or laptop on one side and the other to test the ping between the devices, for example:
LAPTOP in eppacurie with IP 172.18.100.10 Pinging the laptop with the IP 172.18.101.10 Northeast. Remember to disable the firewall of the two devices during the test.
please send to me:
show crypto ipsec sa (both device)
show crypto isa sa (both device)
the packet-tracer in the site A is good, traffic passing through all stages before being sent.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Phase: 10
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Module information for reverse flow ...
Phase: 13
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Module information for reverse flow ...
Result:
input-interface: VoIP
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Have you worked with the CAPTURE command? can configure them to see that the traffic is sent and received normally.
This line not be placed in this interface (SITE A)
nat (outside) 0 access-list outside_nat0_outbound
05-13-2010 09:19 AM
05-13-2010 11:04 AM
Hello, Yuri.
With this catch we can see that the problem is in the site B:
Northeast# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr: 12.132.144.202
access-list outside_20_cryptomap permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0
local ident (addr/mask/prot/port): (172.18.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.18.100.0/255.255.255.0/0/0)
current_peer: 66.194.160.10
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 32, #pkts decrypt: 32, #pkts verify: 32
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
The PC of the site B is not answering the ping or ASA is not encrypting . The reasons would be:
1 - The PC has an active firewall or antivirus blocking the PING.
2 - The gateway PC is not the ASA.
Let's Put a capture:
access-list capture-out permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0
access-list capture-out permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0
capture inside access-list capture-out interface VoIP circular-buffer
In the capture you should see the package in and out. Please send to me the capture you see there.
05-13-2010 11:38 AM
o.k then you need the capture only on siteB?
and when I gaive the instruction of capture the ASA will gfenerate a file...or is going to display the information on the screen...if is a file how can I get it ?
05-13-2010 11:56 AM
Oh Sorry Yuri, yes the capture is only in the ASA site B, To see the capture is with the command:
show capture inside
inside is the name of capture. Then you will see the processes that effected this package. Only on site B because the packet enters the ASA but gets no response from the PC, as shown in the catch that I sent you.
05-13-2010 03:12 PM
05-13-2010 09:23 PM
Good Morning Yuri,
Does this command to place it in this way?
global (VoIP) 1 interface (Before testing I suggest you remove)
the capture shows that packets enter the ASA but ...
1: 19:51:39.446067 802.1Q vlan#10 P0 172.18.100.41 > 172.18.101.41: icmp: echo request
2: 19:51:44.946652 802.1Q vlan#10 P0 172.18.100.41 > 172.18.101.41: icmp: echo request
3: 19:51:50.439628 802.1Q vlan#10 P0 172.18.100.41 > 172.18.101.41: icmp: echo request
no response. incoming packets are icmp: echo request but the PC or laptop to which you do the ping is not responding. The Package you should see is:
19:51:39.446067 802.1Q vlan#10 P0 172.18.101.41 > 172.18.100.41: icmp: echo reply
The packages are coming to the ASA, leaving the correct VLAN interface: 1: 19:51:39.446067 802.1Q vlan#10
do the following tests and send me the results:
1) ping to the PC from the ASA, as follows
ASA# ping 172.18.101.41 (must be answered)
2) in the PC:
C:\ tracert 172.18.101.41
C:\ ping 172.18.101.41
3) in the PC:
C:\ route print
05-14-2010 11:57 AM
05-14-2010 09:47 PM
Hi, Yuri. I saw the tests. In your capture I saw you
computer has two default routes, what is the reason
this?.
Please make the following tests:
1) from computer
C:\\ tracert 172.18.100.41
2) active the capture:
access-list capture-out permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0
access-list capture-out permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0
capture inside access-list capture-out interface VoIP circular-buffer
from computer C:\\ ping 172.18.100.41 -t
In the ASA see the capture: "show capture inside"
should see the incoming packets to ASA as follows:
1: 19:51:39.446067 802.1Q vlan#10 P0 172.18.101.41 > 172.18.100.41: icmp: echo request
3) C:\\ tracert 200.44.32.12
05-17-2010 10:42 AM
Hi,here are the captures...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide