Site-to-site tunnel not coming up between two ASA

aparikh · ‎08-11-2013

Site-to-Site tunnel not coming between ASA 5520 and ASA 5505. Both has 8.0(5). Following is the config for HQ and Remote Site.

HQ

name 172.16.4.0 Homeless

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

boot system disk0:/asa805-k8.bin

object-group network Homeless_Network

network-object yy.yy.yy.yy 255.255.255.248

access-list outside_3_cryptomap extended permit ip 10.1.1.0 255.0.0.0 Homeless 255.255.252.0

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.0.0.0 Homeless 255.255.252.0

l

global (outside) 3 xx.xx.xx.xx

global (outside) 4 xx.xx.180.151

nat (inside) 5 access-list inside_nat0_outbound

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 yy.yy.yy.yy 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 10 set transform-set vpn-set

crypto dynamic-map dynmap 10 set reverse-route

crypto map mymap 3 match address outside_3_cryptomap

crypto map mymap 3 set pfs group5

crypto map mymap 3 set peer yy.yy.yy.yy

crypto map mymap 3 set transform-set ESP-AES-256-SHA

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 50

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

tunnel-group yy.yy.yy.yy type ipsec-l2l

tunnel-group yy.yy.yy.yy ipsec-attributes

pre-shared-key *

!

Remote SITE

interface Vlan2

nameif outside

security-level 0

ip address yy.yy.yy.yy 255.255.255.248

!

interface Vlan60

nameif inside

security-level 100

ip address 172.16.7.200 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 60

!

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer xx.xx.xx.xx

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

tunnel-group xx.xx.xx.xx type ipsec-l2l

tunnel-group xx.xx.xx.xx ipsec-attributes

pre-shared-key *

access-list inside_nat0_outbound extended permit ip 172.16.4.0 255.255.252.0 CityHall 255.0.0.0

access-list outside_1_cryptomap extended permit ip 172.16.4.0 255.255.252.0 10.0.0.0 255.0.0.0

access-group inbound in interface outside

access-group inside_nat0_outbound in interface inside

nat (inside) 0 access-list inside_nat0_outbound

Jouni Forss · ‎08-11-2013

Hi,

At HQ ASA atleast the NAT0 configuration is wrong

You have configured this

nat (inside) 5 access-list inside_nat0_outbound

This isnt NAT0 however. It would be configured with ID 5 if you had a corresponding "global" commands using ID 5 also. It would be a Dynamic Policy NAT/PAT.

The NAT0 configurations should use the ID 0

If an existing NAT0 "nat" statement/configuration already exists then you would use the existing ACL to define the traffic that doesnt need NAT

So your configuration should probably be this

nat (inside) 0 access-list inside_nat0_outbound

I can't see a different in the actual L2L VPN configurations though there are some configurations that are not visible that might affect connectivity BUT the above mentioned NAT0 configurations is clearly a problem.

Hope this helps

Please remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

aparikh · ‎08-11-2013

Thanks for the quick reply. I have following & it is not working

global (outside) 3 xx.xx.xx.99

global (outside) 4 xx.xx.180.151

global (outside) 5 xx.xx.xx.1

nat (inside) 0 access-list nonat

nat (inside) 3 access-list Subnet_10_130

nat (inside) 4 access-list Pat_for_vpn

nat (inside) 5 access-list inside_nat0_outbound

Jouni Forss · ‎08-11-2013

Hi,

The HQ sites NAT0 configuration should be configured under the ACL called "nonat"

nat (inside) 0 access-list nonat

I am not sure what the purpose of the ID 5 "nat" and "global" rule is. NAT0 means that you dont want to do any NAT. In this case the rules with ID 5 are performing a Dynamic Policy PAT

So if the ID 5 NAT configuration is not needed remove there and add the ACL rule to the existing "nonat" ACL

no nat (inside) 5 access-list inside_nat0_outbound

no access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 Homeless 255.255.252.0

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 172.16.4.0 255.255.252.0

- Jouni

Jouni Forss · ‎08-11-2013

Also,

The HQ sites "inside" interface configuration seems a bit off as its configured with a network address. I don't think the ASA would even accept that configuration.

Also personally I would be hesitant to use the complete 10.0.0.0/8 network in VPN and NAT configurations.

- Jouni

aparikh · ‎08-11-2013

Ok I change it to 10.1.1.0 255.255.255.0, & keeping access-list same.

It is not working

Jouni Forss · ‎08-11-2013

Hi,

You can't use a network address as an interface IP address.

- Jouni

aparikh · ‎08-11-2013

sorry for the confusion. I have updated the inteface with correct ip address and it is not working.

Jouni Forss · ‎08-11-2013

Hi,

Where are you testing the connectivity from? I assume from a host behind either of the ASA firewalls?

What are you using to test the L2L VPN connection? Some TCP connection or PING / ICMP?

You could issue the following command on the ASA CLI. Issue the command TWICE because the first one usually always drop in the VPN Phase. If the VPN negotiation doesnt go through then the second attempt will also drop in VPN Phase

HQ ASA

packet-tracer input inside icmp 10.1.1.100 8 0 172.16.4.100

Insert the above command TWICE and copy/paste the whole output of the second time you issue that command here.

Also after the test you can check this output right after the second "packet-tracer" command

show crypto isakmp sa

- Jouni

aparikh · ‎08-11-2013

show crypto isakmp sa

There are no isakmp sas

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: Test

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Jouni Forss · ‎08-11-2013

Hi,

The "packet-tracer" output lists an interface called "Test"

This was not mentioned in the original posts configuration at any point.

- Jouni

aparikh · ‎08-11-2013

It is working now. I had wrong crypto policy map on one side.

Thanks,

jawad-mukhtar · ‎08-11-2013

Do Rate Above Helpful posts if its working..

Jawad