Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problems with routing over a VPN Connection (ASA5505)

Dear all,

 

I have to connect two remote sites using an IPSec Tunnel (EasyVPN). The devices to be used are two Cisco ASA 5505.

They have already been connected to the internet and configured and they can see and ping each other via the “outside” interface. The inside interfaces on both sides have a private address range 192.168.160.0/24 and 192.168.128.0/24.

Before connecting the to the internet I configured them connected to a 2921 Router that simulated the Internet (both interfaces had the adresses of the real gateways). In my test configuration the tunnel was established (checked via show isakmp sa) and two computers connected in the inside interfaces of each ASA could ping each other.

Test Config: *PC*-------*in*ASA*out*-------*2921*----------*out*ASA*in*---------*PC*

The problems came when I connected the ASA devices to the internet. The tunnel is established but I cannot ping devices in the inside interface of the other ASA. Even though the routing table has the correct values.

Real Config: *PC*-------*in*ASA*out*-------*Internet*----------*out*ASA*in*---------*PC*

 

I am not an expert with the ASA, but as far as I know there shouldn't be a problem with the inside interfaces having a private address, since the whole information is sent through the tunnel, right?

 

Thanks a lot for your help!
Fabio

  • VPN
Everyone's tags (1)
23 REPLIES

HiMaybe a stupid question,

Hi

Maybe a stupid question, but are you sure you are inspecting icmp?

Otherwise write "fixup protocol icmp".

New Member

Hello, thanks for your answer

Hello,

 

thanks for your answer. On both devices I configured icmp as follows:

icmp permit any inside
icmp permit any outside

And the policy map is as follows:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!

 

This icmp inspection has something to do? What is puzzling me is the fact that my test configuration with the 2911 router simulating internet works and once I connect it to the real internet it doesn't.

 

thanks again!

Fabio

New Member

Hi Fabio,Can you provide the

Hi Fabio,

Can you provide the output of below :

 

Show run nat

sh route

show cry isa sa

show cry ips sa

 

Regards,

Altaf

 

 

New Member

Hi, at the moment I only have

Hi,

 

at the moment I only have access to one of the ASAs (the one acting as server). For security reasons I have changed the public IPs.

Find also attached a schema of the network (at the moment there are no devices connected in the 192.168.160.0 network). When I tested it, there were.

 

show run nat

ASA# sh run nat
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
ASA#

sh route

ASA# sh route

Gateway of last resort is 192.168.128.1 to network 0.0.0.0

S    1.1.1.0 255.255.255.224 [1/0] via 2.2.2.1, outside
C    192.168.128.0 255.255.255.0 is directly connected, inside
S    192.168.160.0 255.255.255.0 [1/0] via 2.2.2.1, outside
C    2.2.2.0 255.255.255.224 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.128.1, inside

show cry isa sa

ASA# sh cry isa sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 1.1.1.2
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

show cry ips sa

BB-ERL# sh cry ips sa
interface: outside
    Crypto map tag: dyn-bb-map, seq num: 5, local addr: 146.254.60.228

      local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (1.1.1.2/255.255.255.255/0/0)
      current_peer: 1.1.1.2, username: user
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.2

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 5AAC68DB
      current inbound spi : EF3D1228

    inbound esp sas:
      spi: 0xEF3D1228 (4013756968)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 32768, crypto-map: dyn-bb-map
         sa timing: remaining key lifetime (sec): 27308
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x5AAC68DB (1521248475)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 32768, crypto-map: dyn-bb-map
         sa timing: remaining key lifetime (sec): 27308
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: dyn-bb-map, seq num: 5, local addr: 2.2.2.2

      local ident (addr/mask/prot/port): (192.168.128.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (1.1.1.2/255.255.255.255/0/0)
      current_peer: 1.1.1.2, username: user
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.2

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: B66B6785
      current inbound spi : 8ADC7777

    inbound esp sas:
      spi: 0x8ADC7777 (2329704311)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 32768, crypto-map: dyn-bb-map
         sa timing: remaining key lifetime (sec): 27309
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xB66B6785 (3060492165)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 32768, crypto-map: dyn-bb-map
         sa timing: remaining key lifetime (sec): 27307
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

 

Thanks a lot!!

Fabio

New Member

Hi, Can you check the NAT 0,

Hi,

 

Can you check the NAT 0, are you sure you are exempting the traffic, for troubleshooting, please get the packet tracer output. we need to initiate a packet tracer from the inside interface:

something like this:

packet input inside icmp 192.168.128.5 8 0 1.1.1.2 det

you will see where the packet is dropping , if it doesn't then flow should be allowed and goes through VPN.

if you have difficulties, please paste the above output here for analyse.

-Altaf

 

 

New Member

Hi,thanks for your answer. I

Hi,

thanks for your answer. I don't have access to the devices anymore. I won't be able to do this until monday.

 

However, in my test scenario, which is the same as the real one but simulating the internet connection using a Cisco2921, I could ping and communicate  from both ASA's "inside sides" (I was able to establish a remote desktop session as well!!)

 

best regards,

Fabio

New Member

Hi, One more thing is, if you

Hi,

 

One more thing is, if you trying to ping inside interface through the VPN(in non-working one), then please add:

Management-access inside

if not then the packet tracer output will clearly tell you where could be the issue is.

 

-Altaf

New Member

Hi, according to the outputs

Hi,

 

according to the outputs i copied here, the traffic between both inside networks should be routed through the VPN, right?

In my test scenario it worked flawlessly. It is with the "internet" connection where I have all the problems.

 

Best regards,
Fabio

New Member

Hi, Once you send a ping to

Hi,

 

Once you send a ping to the destination from the source 192.168.128.X, observe the output of "sho cry ips sa" and see the counters of encaps/decaps. if the encap counter is not incrementing then then traffic isn't going through the tunnel.

In this case packet tracer command which I highlighted will help.

 

-Altaf

 

 

609
Views
0
Helpful
23
Replies