Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 vpn tunnel

I have 2 asa5505's. I have created a site to site vpn tunnel using two local networks. (ex. 192.168.1.0 & 192.1689.2.0).

I then tried to make another set of local ip's (ex. 192.168.3.0 & 192.168.4.0) use the same tunnel group, same external endpoints. One set of ip's is for data and the other for ip phones. Vlan 1 is not being used, vlan 2 is inside interface, vlan 3 is outside interface, and vlan 4 is the 2nd interface named phones. The first data networks are working fine, but the phones ip data is not flowing. I can not ping the other side. I set vlan 4 to not foward to interface vlan 2 and set the security to 100 on both ends. These are two independent local networks that don't need to talk to each other. Is there a reason anyone can think of why this wouldn't work?

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: ASA5505 vpn tunnel

Depending on how the phone subnet is connected on the ASA.

If your phone subnet is connected on a separate interface on the ASA (for example: an interface that you have named "phones"), then you would need to create a new access-list and assign it to the "phones" interface.


Example:

access-list phones-nonat permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

nat (phones) 0 access-list phones-nonat

On the other hand, if the phone subnet is connected to the ASA via the inside interface, ie: phone subnet is routed via the inside interface of the ASA, then you only need to add the line to the existing ACL on the inside interface.

Example:

Currently the inside NAT statement says "nat (inside) 0 access-list 101", and all you need to add is another line to ACL 101 as follows:

access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

Here is a sample configuration with 2 internal interfaces (inside and dmz) for site-to-site vpn tunnel for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806a5cea.shtml

From the sample configuration, it is using the same ACL NoNAT for both inside and dmz interfaces. I would recommend that you create a different ACL for the NAT statement for each interface instead of using the same ACL on both interfaces.

Hope that helps.

Cisco Employee

Re: ASA5505 vpn tunnel

Yes, "show crypto ipsec sa" will show you the statistics for each ACL line that you have configured for your crypto ACL. It will show how many packets have been encrypted and decrypted per ACL subnet pair.

New Member

Re: ASA5505 vpn tunnel

Change the following on the remote side

global (inside) 1 interface to global (outside) 1 interface. This will Pat the inside

hosts to the outside for internet access.

42 REPLIES
Cisco Employee

Re: ASA5505 vpn tunnel

Do you mean you created another crypto map sequence for the second sets?

If you do, that is not correct as you are terminating on the same peer. You just have to add to the existing crypto ACL on both sides for the original vpn tunnel.

So if your first tunnel crypto ACL says:

access-list crypto-acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Just add another line that says:

access-list crypto-acl permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

and of course the mirror image crypto ACL on the peer ASA.

You would also need to add NAT exemption on that interface where the phone subnet is.

New Member

Re: ASA5505 vpn tunnel

Thanks for the reply,

Actually I created the first site to site with the vpn wizard and its works fine. I then created the second site to site with the wizard also and when it came to adding the gateway to gateway a box popuped up saying that the tunnel group already excisted and do you want to use it. I said yes. I then went on with the wizard and it completed. Below is the commands it added to the firewall:

!ASA
!Single Routed
!29-Apr-10_18.40.33
!Preview CLI Commands 

crypto isakmp enable phones
access-list phones_1_cryptomap line 1 extended permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound line 2 extended permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map phones_map 1 match address phones_1_cryptomap
crypto map phones_map 1 set  pfs group1
crypto map phones_map 1 set  peer  External IP
crypto map phones_map 1 set  transform-set  ESP-3DES-SHA
crypto map phones_map interface  phones

Does this seem correct?

Cisco Employee

Re: ASA5505 vpn tunnel

No, that is not correct. If you use the wizard, it will create a brand new tunnel with the same peer end point. You can't configure 2 crypto map name and apply the same on the outside interface.

You would need to edit the existing crypto map, and add crypto ACL for the new subnets.

If you check the output of "show run crypto map", it would already have the existing tunnel configuration, and since the peer address is the same, just add another line to the existing crypto ACL, and remember to configure the mirror image ACL on the peer device.

New Member

Re: ASA5505 vpn tunnel

Very good, I understand now, thanks. One other question about nat.

I currently have 2 nat statements on one of the firewalls for nat as follows:

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

The other firewall has one as follows:

nat (inside) 0 access-list inside_nat0_outbound

Now, would I add a statement to the current access-list inside_nat0_outbound, then write a nat exception as follows:

nat (phones) 0 access-list inside_nat

Or should I write a new access-list such as access-list phones_nat0_outbound extended permit ip (ip info), then apply to a new nat statement such as:

nat (phones) 0 access-list phones_nat0_outbound, i'm a little confused on the number that follows the nat statement


or each nat statement needs to be in number order such as

nat (inside) 0

nat (inside) 1

nat (phones) 2

I thank you for you help and patience, I'm pretty good with routers and switches, but an admitted novice with firewalls

Cisco Employee

Re: ASA5505 vpn tunnel

Depending on how the phone subnet is connected on the ASA.

If your phone subnet is connected on a separate interface on the ASA (for example: an interface that you have named "phones"), then you would need to create a new access-list and assign it to the "phones" interface.


Example:

access-list phones-nonat permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

nat (phones) 0 access-list phones-nonat

On the other hand, if the phone subnet is connected to the ASA via the inside interface, ie: phone subnet is routed via the inside interface of the ASA, then you only need to add the line to the existing ACL on the inside interface.

Example:

Currently the inside NAT statement says "nat (inside) 0 access-list 101", and all you need to add is another line to ACL 101 as follows:

access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

Here is a sample configuration with 2 internal interfaces (inside and dmz) for site-to-site vpn tunnel for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806a5cea.shtml

From the sample configuration, it is using the same ACL NoNAT for both inside and dmz interfaces. I would recommend that you create a different ACL for the NAT statement for each interface instead of using the same ACL on both interfaces.

Hope that helps.

New Member

Re: ASA5505 vpn tunnel

Yes that definitely helps, Thank You.

You know I searched up and down the show commands but could not find one that would show me the local networks that are associated, or go accross a specific vpn tunnel. Wheather it's 1 network or 3 local networks. Do you know any commands that show them?

Cisco Employee

Re: ASA5505 vpn tunnel

Are you trying to find out what local subnets have been configured on the ASA?

You can run "show run interface", and the output would show you what subnet/interface have been configured currently on the ASA.

You can also run "show route" to check if any specific local subnet has been routed through one of the interfaces.

New Member

Re: ASA5505 vpn tunnel

No, those I know. Say you have a single site to site ( or gateway to gateway) vpn tunnel through the internet. But you setup multiple local networks on each side to cross the single tunnel as we discussed in this thread. Is there a show command that would say that here is this one vpn tunnel and these are the permitted local (or private) networks that are configured to cross that one vpn tunnel? Maybe even the statistics, such as how much traffic is being sent and received through the vpn tunnel from each local network configured to use the vpn tunnel?

Cisco Employee

Re: ASA5505 vpn tunnel

Yes, "show crypto ipsec sa" will show you the statistics for each ACL line that you have configured for your crypto ACL. It will show how many packets have been encrypted and decrypted per ACL subnet pair.

New Member

Re: ASA5505 vpn tunnel

Hi again,

well finanlly went on site added those two lines of code, 1 to the excisting crypto map acl, and created a new nat0 phones acl. I was now able to pass traffic from the inside and phones interface down the one tunnel. The inside interface always worked, being able to rdp to other pc's, camera's running acrooss vpn, etc, tcp sessions. But, the phones network I can ping anything on the other side of vpn tunnel and thought all was good. The only thing is that it seems I can't open anything on the other side throught the phones interface, just ping. I can telnet to the level 3 switch on the other side through inside interface but NOT through the phones interface. It seems like I can''t do tcp sessions. I was under the impression these vpn tunnels should pass the traffic as trusted traffic as if it was inside and part of the whole network. Any idea's? I can post the config's from both asa5505's if needed.

Thanks again, you've been most helpfull.

Cisco Employee

Re: ASA5505 vpn tunnel

Please post the config from both ASAs, and also advise the source and destination ip address of the traffic which is not working.

Thanks for the rating.

New Member

Re: ASA5505 vpn tunnel

Thanks Halijenn,

here are the configs edited to protect the inocent,lol. Also, I can't get out to the internet on the remote config. I mean I can or I wouldn't have a vpn tunnel. But, you can't browse the internet from a pc from the remote location on either network, only really need it on inside interface.  Any ideas on that too. At first I noticed no nat statement on the inside interface (nat 1 0.0.0.0 0.0.0.0) but I added this and still no browse.

The inside interface on both configs is passing traffic fine. (10.1.1.0 to 10.4.1.0)

The phones interface has connectivity, I can ping accross the vpn tunnel, but no other communication (tcp). The networks there are 10.1.5.0 to 10.4.5.0.

Thanks

New Member

Re: ASA5505 vpn tunnel

Change the following on the remote side

global (inside) 1 interface to global (outside) 1 interface. This will Pat the inside

hosts to the outside for internet access.

New Member

Re: ASA5505 vpn tunnel

Jeez, I don't know how I missed that. I need some time off,lol. Thanks em6557

Still not sure why I can't communicate on phones vlan1 interface, network 10.4.5.0 to 10.1.5.0, or vice versa through the vpn tunnel, only can ping through the vpn tunnel for those networks.

Inside interface and networks, 10.1.1.0 to 10.4.1.0, work fine.

Is it possibly the limitation of the basic license of the asa5505? Or are the configs correct and it should work???

Cisco Employee

Re: ASA5505 vpn tunnel

Configuration looks correct on both sides of the ASA.

Can you please advise what ip address you are trying to ping from and to from the 10.1.5.0/24 and 10.4.5.0/24 subnets?

If you are trying to ping, please also add the following icmp inspection on both ASA:

policy-map global_policy
class inspection_default

     inspect icmp

After you ping from the phones subnet, please kindly grab the output of:

show crypto ipsec sa

New Member

Re: ASA5505 vpn tunnel

Hi, I have the same problem with two cisco asa5505.

I already have a VPN working between siteA and siteB. Now the customer ask me to connect the IP PBX together, the I created a VLAN 10 at both sides.

At site A 172.18.100.0 and at site B 172.18.101.0, I created the ACL for that address under the ACL of the data, only I adde the line but is not working,

when I tried to ping from the site B when I am at the config terminal at the ASA, and I pingto the eth port of the remote site I didn't received response. Is the same problem at the both directions.

New Member

Re: ASA5505 vpn tunnel

Hi  Yuri, sorry packet-tracert command is as follows, misplace  the sequence numbers:

packet-tracer  input VoIP icmp 172.18.100.1 2 2 172.18.101.1 detail

New Member

Re: ASA5505 vpn tunnel

Hello Yuri, sorry for my English.

I see only two problems with the site A:

This access-list:

access-list outside_nat0_outbound extended permit ip interface VoIP 172.18.101.0 255.255.255.0

This allows only the traffic from the interface and not from the voice device.

2) why you placed the Nat0 here "nat (outside) 0 access-list outside_nat0_outbound"

the Nat0 should go only to the VoIP interface.

On the site B see everything properly configured in the A should be of the form:


access-list outside_nat0_outbound extended permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0
nat (VoIP) 0 access-list outside_nat0_outbound

access-list outside_100_cryptomap extended permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0 (is good)

These lines are not applied in any place:

access-list nonatVoIP extended permit ip host 192.168.8.133 10.0.5.0 255.255.255.0
access-list nonatVoIP extended permit ip host 192.168.8.133 host 10.0.5.7
access-list nonatVoIP extended permit ip any 192.168.8.0 255.255.255.0

You can try the command

packet-tracer input VoIP icmp 172.18.100.1 0 0 172.18.101.1 detail

and place the results here?

I hope to be of help to you.

New Member

Re: ASA5505 vpn tunnel

Thank you, let me try that.

New Member

Re: ASA5505 vpn tunnel

Hello Yuri, a suggestion  that those conducting the tests. The ping must do so from  an internal device, to make ping "eppacurie (config) # ping  172.18.101.100" the ASA sends the IP packet with the source IP of the  OUTSIDE interface and no response the other site. The suggestion is: Put a  laptop in the VoIP segment with a valid IP 172.18.100.X and leaves a  permanent ping: ping 172.18.100.X -t . Then go to the ASA and  the command "show crypto ipsec sa" you should see if there is "match" in  traffic, for example:


SITE A:

show crypto ipsec sa
interface: outside
    Crypto map tag: VPNMAP, seq num: 36, local addr: 200.44.188.130

      access-list outside_100_cryptomap permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0 
      local ident (addr/mask/prot/port): (172.18.100.0 255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.18.101.0/255.255.255.0/0/0)
      current_peer: 12.132.144.202

      #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10 (These  are the packages that you send from your laptop)
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9    (These  are the packages you receive from a remote network)
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 10 , #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 66.194.160.10, remote crypto endpt.: 12.132.144.202

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 77F9B42B (This is  different according to your connection)

At the  other ASA should see more or less the same, but if you must display  packets encrypted and decrypted. More or less the  same amount on both sides

INSIDE  interface usually does not answer PING, I suggest you put a PC or laptop  on one side and the other to test the ping between the devices, for  example:

LAPTOP in eppacurie with IP  172.18.100.10 Pinging the laptop with the IP 172.18.101.10 Northeast. Remember to disable the firewall of the two devices during  the test.

please send to me:

show crypto ipsec sa (both device)

show crypto isa sa (both device)

the packet-tracer in the site A is good, traffic  passing through all stages before being sent.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
             
Phase: 4     
Type: IP-OPTIONS
Subtype:     
Result: ALLOW
             
Phase: 5     
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
             
Phase: 6     
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
             
Phase: 7     
Type: NAT-EXEMPT
Subtype:     
Result: ALLOW
             
Phase: 8     
Type: NAT    
Subtype:     
Result: ALLOW

Phase: 9     
Type: NAT    
Subtype: host-limits
Result: ALLOW

Phase: 10    
Type: HOST-LIMIT
Subtype:     
Result: ALLOW
   
Phase: 11    
Type: VPN    
Subtype: encrypt
Result: ALLOW

Phase: 12    
Type: FLOW-CREATION
Subtype:     
Result: ALLOW

Module information for reverse flow ...
             
Phase: 13    
Type: FLOW-LOOKUP
Subtype:     
Result: ALLOW
 
             
Module information for reverse flow ...
             
Result:      
input-interface: VoIP
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Have  you worked with the CAPTURE command? can  configure them to see that the traffic is sent and received normally.

This line not be  placed in this interface (SITE A)

nat (outside) 0 access-list outside_nat0_outbound

New Member

Re: ASA5505 vpn tunnel

Hi here are the information of the two sides....I connected a laptop at each side

site A: 172.18.100.41

site B: 172.18.101.41

Also I'm including a ping to a device but at the data network, 192.168.8.71 , I got ping answer form that  device..

New Member

Re: ASA5505 vpn tunnel

Hello,  Yuri.

With this catch we can see  that the problem is in the site B:

Northeast# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr: 12.132.144.202

      access-list outside_20_cryptomap permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.18.101.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.18.100.0/255.255.255.0/0/0)
      current_peer: 66.194.160.10

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0     
      #pkts decaps: 32, #pkts decrypt: 32, #pkts verify: 32

      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

The PC  of the site B is not answering the ping or ASA is not encrypting . The reasons would be:

1 - The PC  has an active firewall or antivirus blocking the PING.
2 - The gateway PC is not the ASA.

Let's  Put a capture:

access-list capture-out permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0

access-list capture-out permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0

capture inside access-list capture-out interface VoIP circular-buffer

In the capture you should  see the package in and out. Please send to me the  capture you see there.

New Member

Re: ASA5505 vpn tunnel

o.k then you need the capture only on siteB?

and when I gaive the instruction of capture the ASA will gfenerate a file...or is going to display the information on the screen...if is a file how can I get it ?

New Member

Re: ASA5505 vpn tunnel

Oh Sorry Yuri, yes the capture is only in the ASA site B, To see the capture is  with the command:

show capture inside

inside is the name of capture. Then  you will see the processes that effected this package. Only  on site B because the packet enters the ASA but gets no response from  the PC, as shown in the catch that I sent you.

New Member

Re: ASA5505 vpn tunnel

Here is the capture at site B:

New Member

Re: ASA5505 vpn tunnel

Good Morning Yuri,

Does  this command to place it in this way?

global (VoIP) 1 interface   (Before  testing I suggest you remove)

the  capture shows that packets enter the ASA but ...

  1: 19:51:39.446067 802.1Q vlan#10 P0 172.18.100.41 > 172.18.101.41: icmp: echo request
   2: 19:51:44.946652 802.1Q vlan#10 P0 172.18.100.41 > 172.18.101.41: icmp: echo request
   3: 19:51:50.439628 802.1Q vlan#10 P0 172.18.100.41 > 172.18.101.41: icmp: echo request

no  response. incoming  packets are icmp: echo request but the  PC or laptop to which you do the ping is not responding. The  Package you should see is:

19:51:39.446067 802.1Q vlan#10 P0 172.18.101.41 > 172.18.100.41:  icmp: echo reply

The  packages are coming to the ASA, leaving the correct VLAN interface: 1: 19:51:39.446067 802.1Q vlan#10

do the  following tests and send me the results:

1) ping to the PC from  the ASA, as follows

ASA# ping 172.18.101.41 (must be  answered)

2) in the PC:

C:\ tracert 172.18.101.41

C:\ ping 172.18.101.41

3) in the PC:

C:\ route print

New Member

Re: ASA5505 vpn tunnel

Hi here is the information.

and yes I can ping to my laptop from the ASA.

New Member

Re: ASA5505 vpn tunnel

Hi, Yuri. I saw the tests. In your capture I saw you

computer has two default routes, what is the reason
this?.

Please make the following tests:

1) from computer

    C:\\ tracert 172.18.100.41

2) active the capture:

   access-list capture-out permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0

   access-list capture-out permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0

   capture inside access-list capture-out interface VoIP circular-buffer

   from computer C:\\ ping 172.18.100.41 -t

   In the ASA see the capture: "show capture inside"

    should see the incoming packets to ASA as follows:

    1: 19:51:39.446067 802.1Q vlan#10 P0 172.18.101.41 > 172.18.100.41: icmp: echo request

  3)  C:\\  tracert  200.44.32.12

New Member

Re: ASA5505 vpn tunnel

Hi,here are the captures...

2125
Views
0
Helpful
42
Replies