Solved: Re: ASA5505 vpn tunnel - Page 2

razorbakill · ‎04-30-2010

I have 2 asa5505's. I have created a site to site vpn tunnel using two local networks. (ex. 192.168.1.0 & 192.1689.2.0).

I then tried to make another set of local ip's (ex. 192.168.3.0 & 192.168.4.0) use the same tunnel group, same external endpoints. One set of ip's is for data and the other for ip phones. Vlan 1 is not being used, vlan 2 is inside interface, vlan 3 is outside interface, and vlan 4 is the 2nd interface named phones. The first data networks are working fine, but the phones ip data is not flowing. I can not ping the other side. I set vlan 4 to not foward to interface vlan 2 and set the security to 100 on both ends. These are two independent local networks that don't need to talk to each other. Is there a reason anyone can think of why this wouldn't work?

Jennifer Halim · ‎05-10-2010

Configuration looks correct on both sides of the ASA.

Can you please advise what ip address you are trying to ping from and to from the 10.1.5.0/24 and 10.4.5.0/24 subnets?

If you are trying to ping, please also add the following icmp inspection on both ASA:

policy-map global_policy
class inspection_default

inspect icmp

After you ping from the phones subnet, please kindly grab the output of:

show crypto ipsec sa

yuvami251168 · ‎05-11-2010

Hi, I have the same problem with two cisco asa5505.

I already have a VPN working between siteA and siteB. Now the customer ask me to connect the IP PBX together, the I created a VLAN 10 at both sides.

At site A 172.18.100.0 and at site B 172.18.101.0, I created the ACL for that address under the ACL of the data, only I adde the line but is not working,

when I tried to ping from the site B when I am at the config terminal at the ASA, and I pingto the eth port of the remote site I didn't received response. Is the same problem at the both directions.

ksilvaoplk · ‎05-11-2010

Hi Yuri, sorry packet-tracert command is as follows, misplace the sequence numbers:

packet-tracer input VoIP icmp 172.18.100.1 2 2 172.18.101.1 detail

ksilvaoplk · ‎05-11-2010

Hello Yuri, sorry for my English.

I see only two problems with the site A:

This access-list:

access-list outside_nat0_outbound extended permit ip interface VoIP 172.18.101.0 255.255.255.0

This allows only the traffic from the interface and not from the voice device.

2) why you placed the Nat0 here "nat (outside) 0 access-list outside_nat0_outbound"

the Nat0 should go only to the VoIP interface.

On the site B see everything properly configured in the A should be of the form:

access-list outside_nat0_outbound extended permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0
nat (VoIP) 0 access-list outside_nat0_outbound

access-list outside_100_cryptomap extended permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0 (is good)

These lines are not applied in any place:

access-list nonatVoIP extended permit ip host 192.168.8.133 10.0.5.0 255.255.255.0
access-list nonatVoIP extended permit ip host 192.168.8.133 host 10.0.5.7
access-list nonatVoIP extended permit ip any 192.168.8.0 255.255.255.0

You can try the command

packet-tracer input VoIP icmp 172.18.100.1 0 0 172.18.101.1 detail

and place the results here?

I hope to be of help to you.

yuvami251168 · ‎05-12-2010

Thank you, let me try that.

ksilvaoplk · ‎05-12-2010

Hello Yuri, a suggestion that those conducting the tests. The ping must do so from an internal device, to make ping "eppacurie (config) # ping 172.18.101.100" the ASA sends the IP packet with the source IP of the OUTSIDE interface and no response the other site. The suggestion is: Put a laptop in the VoIP segment with a valid IP 172.18.100.X and leaves a permanent ping: ping 172.18.100.X -t . Then go to the ASA and the command "show crypto ipsec sa" you should see if there is "match" in traffic, for example:

SITE A:

show crypto ipsec sa
interface: outside
Crypto map tag: VPNMAP, seq num: 36, local addr: 200.44.188.130

      access-list outside_100_cryptomap permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.18.100.0 255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.18.101.0/255.255.255.0/0/0)
      current_peer: 12.132.144.202

      #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10 (These are the packages that you send from your laptop)
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9    (These are the packages you receive from a remote network)
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 10 , #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 66.194.160.10, remote crypto endpt.: 12.132.144.202

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 77F9B42B (This is different according to your connection)

At the other ASA should see more or less the same, but if you must display packets encrypted and decrypted. More or less the same amount on both sides

INSIDE interface usually does not answer PING, I suggest you put a PC or laptop on one side and the other to test the ping between the devices, for example:

LAPTOP in eppacurie with IP 172.18.100.10 Pinging the laptop with the IP 172.18.101.10 Northeast. Remember to disable the firewall of the two devices during the test.

please send to me:

show crypto ipsec sa (both device)

show crypto isa sa (both device)

the packet-tracer in the site A is good, traffic passing through all stages before being sent.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW

Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW

Phase: 8
Type: NAT
Subtype:
Result: ALLOW

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW

Phase: 10
Type: HOST-LIMIT
Subtype:
Result: ALLOW

Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW

Module information for reverse flow ...

Phase: 13
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW


Module information for reverse flow ...

Result:
input-interface: VoIP
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Have you worked with the CAPTURE command? can configure them to see that the traffic is sent and received normally.

This line not be placed in this interface (SITE A)

nat (outside) 0 access-list outside_nat0_outbound

yuvami251168 · ‎05-13-2010

Hi here are the information of the two sides....I connected a laptop at each side

site A: 172.18.100.41

site B: 172.18.101.41

Also I'm including a ping to a device but at the data network, 192.168.8.71 , I got ping answer form that device..

ksilvaoplk · ‎05-13-2010

Hello, Yuri.

With this catch we can see that the problem is in the site B:

Northeast# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr: 12.132.144.202

      access-list outside_20_cryptomap permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.18.101.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.18.100.0/255.255.255.0/0/0)
      current_peer: 66.194.160.10

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 32, #pkts decrypt: 32, #pkts verify: 32
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

The PC of the site B is not answering the ping or ASA is not encrypting . The reasons would be:

1 - The PC has an active firewall or antivirus blocking the PING.
2 - The gateway PC is not the ASA.

Let's Put a capture:

access-list capture-out permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0

access-list capture-out permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0

capture inside access-list capture-out interface VoIP circular-buffer

In the capture you should see the package in and out. Please send to me the capture you see there.

yuvami251168 · ‎05-13-2010

o.k then you need the capture only on siteB?

and when I gaive the instruction of capture the ASA will gfenerate a file...or is going to display the information on the screen...if is a file how can I get it ?

ksilvaoplk · ‎05-13-2010

Oh Sorry Yuri, yes the capture is only in the ASA site B, To see the capture is with the command:

show capture inside

inside is the name of capture. Then you will see the processes that effected this package. Only on site B because the packet enters the ASA but gets no response from the PC, as shown in the catch that I sent you.

yuvami251168 · ‎05-13-2010

Here is the capture at site B:

ksilvaoplk · ‎05-13-2010

Good Morning Yuri,

Does this command to place it in this way?

global (VoIP) 1 interface (Before testing I suggest you remove)

the capture shows that packets enter the ASA but ...

1: 19:51:39.446067 802.1Q vlan#10 P0 172.18.100.41 > 172.18.101.41: icmp: echo request
2: 19:51:44.946652 802.1Q vlan#10 P0 172.18.100.41 > 172.18.101.41: icmp: echo request
3: 19:51:50.439628 802.1Q vlan#10 P0 172.18.100.41 > 172.18.101.41: icmp: echo request

no response. incoming packets are icmp: echo request but the PC or laptop to which you do the ping is not responding. The Package you should see is:

19:51:39.446067 802.1Q vlan#10 P0 172.18.101.41 > 172.18.100.41: icmp: echo reply

The packages are coming to the ASA, leaving the correct VLAN interface: 1: 19:51:39.446067 802.1Q vlan#10

do the following tests and send me the results:

1) ping to the PC from the ASA, as follows

ASA# ping 172.18.101.41 (must be answered)

2) in the PC:

C:\ tracert 172.18.101.41

C:\ ping 172.18.101.41

3) in the PC:

C:\ route print

yuvami251168 · ‎05-14-2010

Hi here is the information.

and yes I can ping to my laptop from the ASA.

ksilvaoplk · ‎05-14-2010

Hi, Yuri. I saw the tests. In your capture I saw you

computer has two default routes, what is the reason
this?.

Please make the following tests:

1) from computer

C:\\ tracert 172.18.100.41

2) active the capture:

access-list capture-out permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0

access-list capture-out permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0

capture inside access-list capture-out interface VoIP circular-buffer

from computer C:\\ ping 172.18.100.41 -t

In the ASA see the capture: "show capture inside"

should see the incoming packets to ASA as follows:

1: 19:51:39.446067 802.1Q vlan#10 P0 172.18.101.41 > 172.18.100.41: icmp: echo request

3) C:\\ tracert 200.44.32.12

yuvami251168 · ‎05-17-2010

Hi,here are the captures...