Re: site-to-site between ASA 5510 and 880 router

Sergey Balyura · ‎07-10-2012

Hello, everybody!

I have a problem.

I have two LANs - 192.168.44.0/22 and 192.168.0.0/24

I connected them with site-to-site VPN: ASA 8.2 (192.168.45.200) in 192.168.44.0/22 and 880 router(192.168.0.1)in 192.168.0.0/24

eberything is fine. I created another two networks - 10.100.100.0/24 and 10.11.12.0/24

and connect them to 192.168.44.0/24

10.100.100.0 through 192.168.47.233

10.11.12.0 through 192.168.47.236

I insert these networks in all ACLs on ASA and on 880 router

and in vain. I cannot ping 10.11.12.0 and 10.100.100.0 from 192.168.0.0

and vice versa

that the part ot ASA config

!

interface Ethernet0/0

nameif outside

security-level 0

ip address AAA.BBB.CCC.18 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.45.200 255.255.252.0

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip 10.100.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.11.12.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.44.0 255.255.252.0 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.100.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.11.12.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 AAA.BBB.CCC.17 1

route inside 10.11.12.0 255.255.255.0 192.168.47.236 1

route inside 10.100.100.0 255.255.255.0 192.168.47.233 1

crypto map Sta-Map 1 match address outside_1_cryptomap

crypto map Sta-Map 1 set pfs group1

crypto map Sta-Map 1 set peer WWW.XXX.YYY.22

crypto map Sta-Map 1 set transform-set ESP-DES-SHA

crypto map Sta-Map 1 set reverse-route

crypto map Sta-Map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

tunnel-group WWW.WWW.YYY.22 type ipsec-l2l

tunnel-group WWW.XXX.YYY.22 ipsec-attributes

pre-shared-key *

that is the part of 880 router config

ip source-route

crypto isakmp policy 1

encr 3des

authentication pre-share

!

crypto isakmp policy 2

authentication pre-share

crypto isakmp key k@t@klizm address 62.205.178.18

!

crypto ipsec transform-set sklad-office esp-des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel toAAA.BBB.CCC.18

set peer AAA.BBB.CCC.18

set transform-set sklad-office

match address 100

reverse-route

interface FastEthernet4

description $ETH-LAN$

ip address WWW.XXX.YYY.22 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 87.249.6.21

!

ip nat inside source list 113 interface FastEthernet4 overload

access-list 23 permit 62.205.178.18

access-list 23 permit 82.204.180.136

access-list 23 permit 192.168.0.0 0.0.255.255

access-list 23 permit 188.123.0.0 0.0.255.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.44.0 0.0.3.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 10.11.12.0 0.0.0.255

access-list 113 deny ip 192.168.0.0 0.0.0.255 192.168.44.0 0.0.3.255

access-list 113 deny ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255

access-list 113 deny ip 192.168.0.0 0.0.0.255 10.11.12.0 0.0.0.255

access-list 113 permit ip 192.168.0.0 0.0.0.255 any

Please, help me in understanding of where I am wrong

Jennifer Halim · ‎07-10-2012

Did you clear the tunnel on both end after you have added the new config?

Also, is there any ACL on the ASA inside interface that might be blocking the traffic?

Lastly, I assume that the 10.100.100.0/24 and 10.11.12.0/24 networks know how to route to the 192.168.0.0/24 network, ie: via the ASA inside interface?

Sergey Balyura · ‎07-10-2012

no, I'm not. but how can I go it?

I have some other strings in inside_nat0_outbound cause ASA is a hub for site-to-site VPNs

and I have some ACLs for other crypto maps

yes, all the routes are right

Javier Portuguez · ‎07-10-2012

Hi Sergey,

Please run a packet-tracer from the new LAN to the remote LAN and see how far it goes.

If the packet gets dropped then check the phase (NAT, ACL...) and correct it.

Does the ASA build the SA for these new networks?

show crypto ipsec sa peer public_ip_Router

Please make sure you clear the tunnel:

clear crypto ipsec sa peer public_ip_Router

Please keep us posted.

Thanks.

Sergey Balyura · ‎07-10-2012

I have run show crypto ipsec sa "remote ip address"

this is the output

ciscoasa# show crypto ipsec sa peer ?

Hostname or A.B.C.D IPsec SA peer address or hostname

ciscoasa# show crypto ipsec sa peer WWW.XXX.YYY.22

peer address: WWW.XXX.YYY.22

Crypto map tag: Sta-Map, seq num: 1, local addr: AAA.BBB.BBB.18

access-list outside_1_cryptomap permit ip 192.168.44.0 255.255.252.0 192.168.0.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.44.0/255.255.252.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

current_peer: WWW.XXX.YYY.22

#pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36

#pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 36, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: AAA.BBB.CCC.18, remote crypto endpt.: WWW.XXX.YYY.22

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 956FD974

inbound esp sas:

spi: 0x3EEB093E (1055590718)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 1, }

slot: 0, conn_id: 33054720, crypto-map: Sta-Map

sa timing: remaining key lifetime (kB/sec): (4373995/3567)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x0000FFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x956FD974 (2507135348)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 1, }

slot: 0, conn_id: 33054720, crypto-map: Sta-Map

sa timing: remaining key lifetime (kB/sec): (4373994/3567)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

is it right there is no sign of two other statements of my ACL outside_1_cryptomap?

access-list outside_1_cryptomap extended permit ip 192.168.44.0 255.255.252.0 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.100.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.11.12.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap line 1 extended permit ip 192.168.44.0 255.255.252.0 192.168.0.0 255.255.255.0 (hitcnt=11092) 0xcaad883e

access-list outside_1_cryptomap line 2 extended permit ip 10.100.100.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=223) 0x1fd85c29

access-list outside_1_cryptomap line 3 extended permit ip 10.11.12.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=26) 0x5938c6d7

the result of packet-tracer at ASA give the "DROP" result at the 11 step

Phase: 11

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Jennifer Halim · ‎07-11-2012

Please clear the SA so the tunnel gets re-established with the newly added crypto ACL:

clear cry ipsec sa

clear cry isa sa

Sergey Balyura · ‎07-17-2012

Hello, Jenifer!

thank you. your advice helped for a while.

but now the situation is very strange.

VPN channel is stable. but on the 880 router's side I have not a route to 10.100.100.0 network at all

and all the pings from the 880 router's network to 10.100.100.0 network are unsuccessful

situation changes if I pings from 10.100.100.0 network to 880 router's network. first ping is unsuccessful but all next pings are successful.

and from the other side connectivity is ok

after some time connectivity desappears. and ping from 10.100.100.0 network to 880 router's network fix the situation.

please help me solve the problem. I want to have the stable connectivity.

Jennifer Halim · ‎07-17-2012

Is there any reasons why your next hop for the 2 networks are different on the ASA? Are they 2 different devices?

route inside 10.11.12.0 255.255.255.0 192.168.47.236 1

route inside 10.100.100.0 255.255.255.0 192.168.47.233 1

Sergey Balyura · ‎07-17-2012

I have the reason, yes.

is it important for my trouble?

It is not a vital reason.

but I'm sure it must work.

Jennifer Halim · ‎07-17-2012

As long as the routing is correct, then it's ok.

When you ping from 880 LAN towards the 10.100.100.0 network, does it build the vpn tunnel?

Do you see entry under "show cry isa sa" and "show cry ipsec sa" for those networks?

Sergey Balyura · ‎07-17-2012

well, yes.

connectivity between 192.168.0.0 network and 192.168.44.0 network is stable.

but now for example I don't see a route from 192.168.0.1 to 10.100.100.0

if I pings 192.168.0.254 (for ex.) from 10.100.100.1 (for ex) - this route appears!

as I understand somewhy this route disappers

I cannot understand why

Jennifer Halim · ‎07-17-2012

The reason why it appears is after building the IPSec SA, it will inject the static route into the routing table, because you have "reverse-route" configured. Do you run any routing protocols and redistribute static into the routing protocols? If you don't run dynamic routing protocols then you don't need to configure "reverse-route". Is your default gateway for your internal network not the VPN termination devices?

Sergey Balyura · ‎07-17-2012

Thank you, Jennifer.

After I remove the "reverse-route" statement the situation is perfect for now. Will loot at it tomorrow.

Jennifer Halim · ‎07-17-2012

Great, thanks for the update. Let us know how it goes tomorrow.

Sergey Balyura · ‎07-18-2012

the situation is the same

only ping from 10.100.100.0 network makes 192.186.0.0 network able to reach the 10.100.100.0 network

in both crypto maps - on ASA and on 880 - I delete "reverse-route" statement

but the same statements are in other crypto maps (as my ASA is a VPN hub)

Is it important?