10-10-2013 07:23 AM
I have an issue that I'm hoping you can shed some light on this. I have 3 sites all connected with VPN/IPsec ikev2 tunnels using ASA 5505 and 5510 with 8.4+ code. Please see the image below for more details on my setup. All VPN tunnels are up and sending traffic across from the immediate neighbor, the issue is that I cannot ping or access ASA3's subnet from ASA2's or ASA2's subnet from ASA3's, what am I missing from my configuration? Please see below, and thank you in advance for any assistance you can provide with this.
ASA 3 VPN Config:
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map crypto_map 1 match address AS3_ACL
crypto map crypto_map 1 set peer 1.1.1.1
crypto map crypto_map 1 set ikev2 ipsec-proposal aes_256
crypto map crypto_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy ipsec_group_policy
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
vpn-idle-timeout 6000
vpn-session-timeout none
vpn-tunnel-protocol ikev2
nat (inside,outside) source static all_inside_networks all_inside_networks destination static all_outside_networks all_outside_networks no-proxy-arp route-lookup
object-group network all_inside_networks
network-object 10.0.1.0 255.255.255.0
object-group network all_outside_networks
network-object 10.0.0.0 255.255.255.0
network-object 10.0.18.0 255.255.255.0
access-list ASA3_ACL extended permit ip object-group all_inside_networks object-group all_outside_networks
Solved! Go to Solution.
10-10-2013 08:31 AM
Hi,
Seems to me your ASA1 is missing some rules in the "crypto map" ACL
access-list ASA3_ACL extended permit ip object-group ASA2 object-group ASA3
access-list ASA2_ACL extended permit ip object-group ASA3 object-group ASA2
You are also missing the "nat" command I mentioned
nat (outside,outside) source static ASA2 ASA2 destination static ASA3 ASA3
You should not need a second "nat" command as this should match which ever the direction of connection forming is
Hope this helps
- Jouni
10-10-2013 07:34 AM
Add this command to your configuration, especially on ASA1.
same-security-traffic permit intra-interface
HTH
Rick
10-10-2013 07:34 AM
Hi,
You will need to make sure that ASA1 has the following configured
same-security-traffic permit intra-interface
This is because the traffic will come from "outside" interface and leave through "outside" interface through another L2L VPN connection.
You might also need a NAT0 configuration on the "outside" interface of the ASA1
For example
object network SITE-2
subnet 10.0.18.0 255.255.255.0
object network SITE-3
subnet 10.0.1.0 255.255.255.0
nat (outside,outside) source static SITE-2 SITE-2 destination static SITE-3 SITE-3
You can naturally use the "packet-tracer" on both ASA2 and ASA3 to confirm that they form the SA for the local and remote network with the ASA1. If that doesnt even form them the problem is between the ASA2 and ASA1 or ASA3 and ASA1
ASA2
packet-tracer input inside tcp 10.0.18.100 12345 10.0.1.100 80
ASA3
packet-tracer input inside tcp 10.0.1.100 12345 10.0.18.100 80
Modify the interface name if its different from the above. Modify the protocol and/or port if its not allowed by your local ACL. Issue the command twice as the L2L VPN negotiation would have gone up after the first time you enter the command and only the second command could pass. (Unless the connection is already up)
- Jouni
10-10-2013 07:50 AM
Hi guys and thank you very much for helping. I already have the command on ASA1
ASA1(config)# show running-config same-security-traffic
same-security-traffic permit intra-interface
I'm going to try doing some packet tracing, would you like to see ASA1 config ?
10-10-2013 07:53 AM
Hi,
It wouldnt hurt atleast.
Naturally if it has a large NAT/ACL Configuration it might be easier to confirm things with the "packet-tracer".
But you can naturally share the configurations (wihtout any public IP addresses)
- Jouni
10-10-2013 08:08 AM
ASA1 VPN config
crypto map crypto_map 1 match address ASA3_ACL
crypto map crypto_map 1 set peer 3.3.3.3
crypto map crypto_map 1 set ikev2 ipsec-proposal aes_256
crypto map crypto_map 2 match address ASA2_ACL
crypto map crypto_map 2 set peer 2.2.2.2
crypto map crypto_map 2 set ikev2 ipsec-proposal aes_256
crypto map crypto_map interface outside
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
default-group-policy ipsec_group_policy
tunnel-group 3.3.3.3 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy ipsec_group_policy
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
access-list ASA3_ACL extended permit ip object-group all_inside_networks object-group ASA3
access-list ASA2_ACL extended permit ip object-group all_inside_networks object-group ASA2
nat (inside,outside) source static all_inside_networks all_inside_networks destination static all_outside_networks all_outside_networks no-proxy-arp route-lookup
object-group network all_outside_networks
network-object 10.0.1.0 255.255.255.0
network-object 10.0.18.0 255.255.255.0
object-group network ASA2
network-object 10.0.18.0 255.255.255.0
object-group network ASA3
network-object 10.0.1.0 255.255.255.0
object-group network all_inside_networks
network-object 10.0.0.0 255.255.255.0
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
default-group-policy ipsec_group_policy
tunnel-group 3.3.3.3 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy ipsec_group_policy
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
group-policy ipsec_group_policy internal
group-policy ipsec_group_policy attributes
vpn-idle-timeout 6000
vpn-session-timeout none
vpn-tunnel-protocol ikev2
10-10-2013 08:03 AM
Hi Delmiro,
Inaddition to what JouniForss have requested to create a no-nat between to remote ASAes, you also required to no-nat between in the oppsite direction as well.
nat (outside,outside) source static SITE-3 SITE-3 destination static SITE-2 SITE-2
Hope this helps.
thanks
Rizwan Rafeek
10-10-2013 08:20 AM
ASA 2 VPN Config:
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map crypto_map 1 match address AS2_ACL
crypto map crypto_map 1 set peer 1.1.1.1
crypto map crypto_map 1 set ikev2 ipsec-proposal aes_256
crypto map crypto_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy ipsec_group_policy
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
vpn-idle-timeout 6000
vpn-session-timeout none
vpn-tunnel-protocol ikev2
nat (inside,outside) source static all_inside_networks all_inside_networks destination static all_outside_networks all_outside_networks no-proxy-arp route-lookup
object-group network all_inside_networks
network-object 10.0.1.0 255.255.255.0
object-group network all_outside_networks
network-object 10.0.0.0 255.255.255.0
network-object 10.0.18.0 255.255.255.0
access-list ASA2_ACL extended permit ip object-group all_inside_networks object-group all_outside_networks
10-10-2013 08:31 AM
Hi,
Seems to me your ASA1 is missing some rules in the "crypto map" ACL
access-list ASA3_ACL extended permit ip object-group ASA2 object-group ASA3
access-list ASA2_ACL extended permit ip object-group ASA3 object-group ASA2
You are also missing the "nat" command I mentioned
nat (outside,outside) source static ASA2 ASA2 destination static ASA3 ASA3
You should not need a second "nat" command as this should match which ever the direction of connection forming is
Hope this helps
- Jouni
10-10-2013 09:34 AM
oh my god, I can't believe I missed that. Thank you Jouni, I'm going to try those changes next.
10-12-2013 07:19 PM
Thank you Jouni, as always you are amazing, please keep up the great support that you provide to the community.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: