Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Help with Site to Site VPN on ASA5505

Hey guys,

Hope all is well on netpro, I really need some help. I have been trying to work on a site to site VPN for almost a full two weeks now and can't seem to get any further than I am now. I am hoping someone can take a look at the thread below and help me out. I have started over about 100 times and always come to the same place...I can get the VPN connection active, but cannot pass traffic at all or correctly.

https://learningnetwork.cisco.com/thread/36319?tstart=0

Here is my latest configuration for my ASA:

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.5.12.251 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUTSIDE_CRYPTOMAP extended permit ip 192.168.133.0 255.255.255.0 192.168.134.0 255.255.255.0
access-list POLICY_NAT extended permit ip 10.5.12.0 255.255.255.0 192.168.134.0 255.255.255.0
access-list INSIDE_NAT_STATIC extended permit ip 192.168.134.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.133.0  access-list POLICY_NAT
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.5.12.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ASA_VPN_TO_SONIC esp-3des esp-md5-hmac
crypto map OUTSIDE_MAP 20 match address OUTSIDE_CRYPTOMAP
crypto map OUTSIDE_MAP 20 set pfs
crypto map OUTSIDE_MAP 20 set peer 2.2.2.2
crypto map OUTSIDE_MAP 20 set transform-set ASA_VPN_TO_SONIC
crypto map OUTSIDE_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6830d2eaae271ea805d9357910b5dcdf
: end

The real internal IP address range behind the ASA is 10.5.12.0/24 and that should be natted to 192.168.133.0/24 when leaving the ASA to cross the tunnel.

The remote internal address range is a combination of 10.x.0.0/16 addresses and those need to be natted to 192.168.134.0/24 when leaving the remote Sonicwall firewall. So to make that simple I want to just NAT the entire 10.0.0.0/8 subnet.

I can't wrap my head around how the ASA knows to use the tunnel for all 10.0.0.0/8 traffic when itself is connected to a 10.5.12.0/24 subnet. I assume routing.

Please let me know anymore info that is needed.

24 REPLIES

Help with Site to Site VPN on ASA5505

Hi,

frist of all i would suggest to remove pfs both side and try also verify remote side ACL.

Also from your end you can run this and paste the output here .

# packet-tracer input inside tcp 10.5.12.1 1025 192.168.134.1 80

This will show you where the packet is getting stuck.

Thanks

Ajay

New Member

Help with Site to Site VPN on ASA5505

ciscoasa# packet-tracer input inside tcp 10.5.12.1 1025 192.168.134.1 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 192.168.134.0  access-list POLICY_NAT
  match ip inside 10.5.12.0 255.255.255.0 outside 10.0.0.0 255.0.0.0
    static translation to 192.168.134.0
    translate_hits = 136, untranslate_hits = 0
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 552, untranslate_hits = 0
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Help with Site to Site VPN on ASA5505

Just give it a try .

Remove -

nat (inside) 1 0.0.0.0 0.0.0.0

Since this is no where matching after removing the output of packet tracer please.

Thanks

Ajay

New Member

Help with Site to Site VPN on ASA5505

Ok so that seemed to work....well everything says allow now...so does that mean the ASA is working correctly?

ciscoasa# packet-tracer input inside tcp 10.5.12.1 1025 192.168.134.1 80

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 192.168.134.0  access-list POLICY_NAT
  match ip inside 10.5.12.0 255.255.255.0 outside 10.0.0.0 255.0.0.0
    static translation to 192.168.134.0
    translate_hits = 194, untranslate_hits = 0
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 777, packet dispatched to next module

Phase: 8
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 173.167.173.210 using egress ifc outside
adjacency Active
next-hop mac address 78cd.8e65.a4a2 hits 511

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

New Member

Help with Site to Site VPN on ASA5505

So how does the ASA know that if it needs to ping, lets say 10.101.1.1 that it needs to use the VPN tunnel to get there?

Green

Help with Site to Site VPN on ASA5505

It doesnt know. You have told it that traffic to 192.168.134.0 is to be encrypted. This is the issue you will have in my opinion. The remote end would have to translate that destination address back to 10.101.1.1. Then when the remote end replied, your ASA would have to translate the destination of 192.168.133.x back to 10.5.12.x. In my opinion, if there is no 10.5.12.0/24 network on the remote end, I would remove the policy nat and just send the source of 10.5.12.x over the vpn and use the destination of 10.101.x.x.

New Member

Help with Site to Site VPN on ASA5505

Well this is where the problem lies. My remote network does not have a 10.5.12.0/24 network, but it has:

10.101.0.0

10.102.0.0

10.103.0.0

10.110.0.0

10.111.0.0

10.113.0.0

10.118.0.0

So that being said I want to just sum these all up by using 10.0.0.0/8 which the 10.5.12.0/24 network belongs too.

Green

Help with Site to Site VPN on ASA5505

Steven, I assume you have a similar static policy nat configuration on the sonicwall end as well?

Green

Re: Help with Site to Site VPN on ASA5505

I think I may finally understand this myself.

With this config

access-list POLICY_NAT extended permit ip 10.5.12.0 255.255.255.0 192.168.134.0 255.255.255.0

static (inside,outside) 192.168.133.0 access-list POLICY_NAT

You are translating your source address of 10.5.12.x to 192.168.133.x when going to 192.168.134.y.

Lets say the sonicwall side was configured like so.

access-list POLICY_NAT extended permit ip 10.0.0.0 255.0.0.0 192.168.133.0 255.255.255.0

static (inside,outside) 192.168.134.0 access-list POLICY_NAT

When it arrives at the sonicwall, it should translate only the network bits of the address. So my guess is it would translate the destination to 10.168.134.y. Which obviously won't work. Try this.

ASA

access-list POLICY_NAT extended permit ip 10.5.12.0 255.255.255.0 192.0.0.0 255.0.0.0

static (inside,outside) 192.168.133.0 access-list POLICY_NAT

Sonicwall equivalent.

access-list POLICY_NAT extended permit ip 10.0.0.0 255.0.0.0 192.168.133.0 255.255.255.0

static (inside,outside) 192.0.0.0 access-list POLICY_NAT

Now if you initinate from 10.5.12.x to 192.101.x.y, the source will be translated to 192.168.133.x. At sonicwall the destination will be translated to 10.101.x.y.

The reply from 10.101.x.y will be translated to 192.101.x.y. At ASA the destination will be translated back from 192.168.133.x to 10.5.12.x.

I will try to test this tomorrow, I could very well be completely full of it.

New Member

Re: Help with Site to Site VPN on ASA5505

any luck on this?

New Member

Re: Help with Site to Site VPN on ASA5505

acomiskey wrote:

I think I may finally understand this myself.

With this config

access-list POLICY_NAT extended permit ip 10.5.12.0 255.255.255.0 192.168.134.0 255.255.255.0

static (inside,outside) 192.168.133.0 access-list POLICY_NAT

You are translating your source address of 10.5.12.x to 192.168.133.x when going to 192.168.134.y.

Lets say the sonicwall side was configured like so.

access-list POLICY_NAT extended permit ip 10.0.0.0 255.0.0.0 192.168.133.0 255.255.255.0

static (inside,outside) 192.168.134.0 access-list POLICY_NAT

When it arrives at the sonicwall, it should translate only the network bits of the address. So my guess is it would translate the destination to 10.168.134.y. Which obviously won't work. Try this.

ASA

access-list POLICY_NAT extended permit ip 10.5.12.0 255.255.255.0 192.0.0.0 255.0.0.0

static (inside,outside) 192.168.133.0 access-list POLICY_NAT

Sonicwall equivalent.

access-list POLICY_NAT extended permit ip 10.0.0.0 255.0.0.0 192.168.133.0 255.255.255.0

static (inside,outside) 192.0.0.0 access-list POLICY_NAT

Now if you initinate from 10.5.12.x to 192.101.x.y, the source will be translated to 192.168.133.x. At sonicwall the destination will be translated to 10.101.x.y.

The reply from 10.101.x.y will be translated to 192.101.x.y. At ASA the destination will be translated back from 192.168.133.x to 10.5.12.x.

I will try to test this tomorrow, I could very well be completely full of it.

When it arrives at the sonicwall, it should translate only the network bits of the address. So my guess is it would translate the destination to 10.168.134.y. Which obviously won't work. Try this.


I assume you meant 192.168.134.y......why wont this work?

New Member

Re: Help with Site to Site VPN on ASA5505

What would be the destination network on the sonicwall? The NAT address range on the ASA or the real LAN address range? This is where I get confused.

Help with Site to Site VPN on ASA5505

NAT Address range on ASA would be destination since packet reached on Sonicwall with identity of

192.168.134.0/24.

New Member

Re: Help with Site to Site VPN on ASA5505

Ok well I have everything set on each end and verified, but still cannot get traffic across the VPN tunnel? Do I have to add static routes to the routing table? What are some show commands or debug commands that I can use to see if the traffic is trying to cross the VPN tunnel?

New Member

Re: Help with Site to Site VPN on ASA5505

This doesnt seem right to me:

ciscoasa# show nat

NAT policies on Interface inside:
  match ip inside 10.5.12.0 255.255.255.0 outside 10.0.0.0 255.0.0.0
    static translation to 192.168.134.0
    translate_hits = 1517, untranslate_hits = 0

NAT policies on Interface outside:
  match ip outside 10.5.12.0 255.255.255.0 inside any
    static translation to 192.168.133.0
    translate_hits = 0, untranslate_hits = 1

New Member

Re: Help with Site to Site VPN on ASA5505

ciscoasa#  show ipsec sa
interface: outside
    Crypto map tag: OUTSIDE_MAP, seq num: 20, local addr: 1.1.1.2

      access-list OUTSIDE_CRYPTOMAP permit ip 192.168.133.0 255.255.255.0 192.168.134.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.133.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.134.0/255.255.255.0/0/0)
      current_peer: 2.2.2.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.2, remote crypto endpt.: 2.2.2.2

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: CC2699B5

    inbound esp sas:
      spi: 0x168AB64E (378189390)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 9207, crypto-map: OUTSIDE_MAP
         sa timing: remaining key lifetime (sec): 27911
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xCC2699B5 (3425081781)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 9207, crypto-map: OUTSIDE_MAP
         sa timing: remaining key lifetime (sec): 27911
         IV size: 8 bytes
         replay detection support: Y

Should the local identity be 10.5.12.0/24??

Help with Site to Site VPN on ASA5505

right

access-list OUTSIDE_CRYPTOMAP extended permit ip 192.168.133.0 255.255.255.0 192.168.134.0 255.255.255.0

access-list POLICY_NAT extended permit ip 10.5.12.0 255.255.255.0 192.168.134.0 255.255.255.0

If remote site is natted with 192.168.134.0/24 then on ASA ACL POLICY_NAT should be

access-list POLICY_NAT extended permit ip 10.5.12.0 255.255.255.0 192.168.133.0 255.255.255.0

So from ASA CRPTO would be  from 192.168.133.0 255.255.255.0  >  192.168.134.0 255.255.255.0

From sonic wall CRPTO would be  from 192.168.134.0 255.255.255.0  >  192.168.133.0 255.255.255.0

Try this once.

New Member

Help with Site to Site VPN on ASA5505

Making that change on the Policy nat acl gave me this for the show NAT command:

ciscoasa# show nat

NAT policies on Interface inside:
  match ip inside 10.5.12.0 255.255.255.0 outside 192.168.134.0 255.255.255.0
    static translation to 192.168.134.0
    translate_hits = 0, untranslate_hits = 0

NAT policies on Interface outside:
  match ip outside 10.5.12.0 255.255.255.0 inside any
    static translation to 192.168.133.0
    translate_hits = 0, untranslate_hits = 0

This doesnt seem right to me nor does it make sense.

New Member

Help with Site to Site VPN on ASA5505

If indeed my VPN tunnel is active which the "show isakmp sa" shows, when I try to ping 10.101.1.1 for instance it shows it going out to the default gateway and over the internet? That is not correct is it?

Green

Help with Site to Site VPN on ASA5505

Yes it is correct. The whole idea of what you are doing here is to hide the real address behind a masqueraded address. You cannot attempt to communicate with the real addresses as these addresses overlap on each remote end. Therefore you create a masqueraded address which is used to traverse the tunnel. You have made these 192.168.133 and 134. According to the routing table, 10.100.1.1 is out the internet and not over the vpn.

How this needs to work is you need to actually ping w.x.y.z, then it goes over the tunnel and gets translated on the remote end to 10.x.y.z.

New Member

Help with Site to Site VPN on ASA5505

I can get the VPN tunnel up between the ASA and the Sonicwall but I cannot pass traffic over the tunnel? Can someone help me how to get this done? Do I need to add routing? What is the default gateway when trying to send the traffic over the tunnel?

New Member

Help with Site to Site VPN on ASA5505

static (outside,inside) 192.168.134.0 10.0.0.0 netmask 255.0.0.0

Is this saying see packets coming in from the outside interface that will be labeled as 192.168.134.0 addresses, but those packets really came from a network that belonged to 10.0.0.0 255.0.0.0?

Green

Help with Site to Site VPN on ASA5505

Ok Steven, I got this set up and working between 2 ASA5505's. Here are the configs. What you need to do is look at your situation like the entire 10.0.0.0/8 is overlapping on both ends.

hostname ASA-1

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.0.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

access-list policy-nat extended permit ip 10.0.0.0 255.0.0.0 192.0.0.0 255.0.0.0

access-list vpn extended permit ip 192.0.0.0 255.0.0.0 192.0.0.0 255.0.0.0

access-list outside_access_in extended permit icmp any any

!

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 192.0.0.0  access-list policy-nat

!

access-group outside_access_in in interface outside

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map1 1 match address vpn

crypto map outside_map1 1 set peer 1.1.1.2

crypto map outside_map1 1 set transform-set ESP-3DES-MD5

crypto map outside_map1 interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!

tunnel-group 1.1.1.2 type ipsec-l2l

tunnel-group 1.1.1.2 ipsec-attributes

pre-shared-key *

hostname ASA-2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
access-list policy-nat extended permit ip 10.0.0.0 255.0.0.0 192.0.0.0 255.0.0.0
access-list vpn extended permit ip 192.0.0.0 255.0.0.0 192.0.0.0 255.0.0.0
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.0.0.0  access-list policy-nat
!
route outside 0.0.0.0 0.0.0.0 1.1.1.1
!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map0 1 match address vpn
crypto map outside_map0 1 set peer 1.1.1.1
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

Here is how it works. So behind ASA-1 I had a host we will call Host-A (real ip of 10.1.100.1/8). Behind ASA-2 I had a host we will call Host-B (real ip of 10.5.100.1/8.)

To ping from Host-A to Host-B you must ping 192.5.100.1 (Use 192 for the network mask bit, and the host address for the rest).

1. Ping 192.5.100.1 from Host-A.

2. ASA-1 matches this traffic (10.1.100.1 -> 192.5.100.1) to the policy-nat acl and translates the source address from 10.1.100.1 to 192.1.100.1.

3. ASA-1 matches this new source and destination address (192.1.100.1 -> 192.5.100.1) to the vpn acl and sends it over the tunnel.

4. Traffic arrives at ASA-2.

5. Destination address (192.5.100.1) matches the policy-nat acl and the destination is translated from 192.5.100.1 to 10.5.100.1.

6. Ping is sent to 10.5.100.1 and it replies to the ping.

7. ASA-2 matches this traffic (10.5.100.1 -> 192.1.100.1) to the policy-nat acl and translates the source address from 10.5.100.1 to 192.5.100.1.

8. ASA-2 matches this new source and destination adddress (192.5.100.1 -> 192.1.100.1) to the vpn acl and sends it over the tunnel.

9. Traffic arrives at ASA-1.

10. Destination address (192.1.100.1) matches the policy-nat acl and the destination is translated from 192.1.100.1 to 10.1.100.1.

11. Host-A receives the ping reply.

So, if you want to ping from either side to 10.x.y.z on the other end, simply change the 10 to 192 and ping to 192.x.y.z. This worked for me and hopefully will work for you. Unfortunately you don't have 2 ASA's and I can't help on the Sonicwall config.

Green

Help with Site to Site VPN on ASA5505

Curious if you had any success with the solution above?

1319
Views
0
Helpful
24
Replies
CreatePlease to create content