HQ ASA 5510 to branch ASA 5510 IPsec site to site VPN - branch

charlesriley · ‎02-09-2012

We have two Cisco ASA firewall with a "healthy" site to site IPsec VPN between them. Traffic sent over the VPN is not translated, while all other traffic to internet is translated to public IP address.

The problem is while the HQ ASA encrypts and sends traffic correctly to branch ASA, the branch ASA does not encrypt the responses, nor does it send over the VPN - it sends the responses to internet (to a RFC1918 address).

The configuration looks correct, the VPN is established. Any help or a point in the right direction would be appreciated.

Thank you,

Charles

This is what we see on the branch...

sh crypto ipsec sa
interface: Outside
Crypto map tag: Outside_map, seq num: 12, local addr: x.x.x..210

      access-list Outside_12_cryptomap extended permit ip 10.40.14.0 255.255.255.0 192.168.65.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.40.14.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.65.0/255.255.255.0/0/0)
      current_peer: 98.100.154.83

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: x.x.x.210, remote crypto endpt.:y.y.y.83

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 162FA7F9
      current inbound spi : D58FCAAE

    inbound esp sas:
      spi: 0xD58FCAAE (3582970542)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 86016, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28433)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000000F
    outbound esp sas:
      spi: 0x162FA7F9 (372221945)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 86016, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/28433)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Julio Carvajal · ‎02-09-2012

Hello Charles,

Can you check the No_nat configuration for the Branch site and post it if need it?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

charlesriley · ‎02-09-2012

Hi, Julio,

Here are the relevant bits of the configuration...thank you for taking a look; this one has me stymied.

Charles

ASA Version 8.2(5)

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 11.11.38.210 255.255.255.248

!

interface Ethernet0/1

nameif Inside

security-level 99

ip address 10.40.14.254 255.255.255.0

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

domain-name XXXstZZZ

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network XXX-MAIN-NET

description XXX-MAIN addresses/networks permitted access

network-object 192.168.65.0 255.255.255.0

object-group network XXX-MAIN-ST-ZZZ-DESTINATIONS

description devices/addresses/networks that XXX-MAIN can access.

network-object 10.40.14.0 255.255.255.0

object-group service XXX-MAIN-PORTS

description ports and services that XXX-MAIN can access.

service-object ip

service-object icmp

access-list Outside_nat0_outbound extended permit ip 10.40.14.0 255.255.255.0 192.168.65.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 10.40.14.0 255.255.255.0 192.168.65.0 255.255.255.0

access-list SplitTunnelingLAN standard permit 192.168.65.0 255.255.255.0

access-list XXX-MAIN-OUTSIDE-TO-INSIDE remark Permit XXX-MAIN traffic to (identifies what is to be encrypted)

access-list XXX-MAIN-OUTSIDE-TO-INSIDE extended permit object-group XXX-MAIN-PORTS object-group XXX-MAIN-NET object-group XXX-MAIN-ST-ZZZ-DESTINATIONS

access-list Outside_12_cryptomap extended permit ip 10.40.14.0 255.255.255.0 192.168.65.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu management 1500

mtu Outside 1500

mtu Inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Outside) 0 access-list Outside_nat0_outbound

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 101 0.0.0.0 0.0.0.0

route Outside 0.0.0.0 0.0.0.0 11.11.38.209 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-HMAC esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 12 match address Outside_12_cryptomap

crypto map Outside_map 12 set peer 12.12.154.83

crypto map Outside_map 12 set transform-set ESP-AES-256-SHA

crypto map Outside_map 12 set nat-t-disable

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 28800

telnet timeout 5

ssh 10.40.14.0 255.255.255.0 Inside

ssh timeout 5

console timeout 0

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy XXX-MAIN-IPSEC-POLICY internal

group-policy XXX-MAIN-IPSEC-POLICY attributes

vpn-filter value XXX-MAIN-OUTSIDE-TO-INSIDE

vpn-tunnel-protocol IPSec

tunnel-group 12.12.154.83 type ipsec-l2l

tunnel-group 12.12.154.83 general-attributes

default-group-policy XXX-MAIN-IPSEC-POLICY

tunnel-group 12.12.154.83 ipsec-attributes

pre-shared-key *****

!

: end

Julio Carvajal · ‎02-09-2012

Hello,

Hmm please provide the following

packet-tracer input inside tcp 10.40.14.3 1025 192.168.65.8 80

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

HQ ASA 5510 to branch ASA 5510 IPsec site to site VPN - branch is not sending responses back over VPN