Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Site to site VPN connectivity

Just configured site to site VPN for ASA 5515x and 5505. The tunnel is up, but couldn't ping to the other site from 5505 and vice versa. Below are the tunnel status and ASA configs. Any help or comment is appreciated. Thanks!

ASA5515X# sh crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 10, local addr: 211.24.X.X

      access-list outside_cryptomap_10 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

      current_peer: 175.141.X.X

      #pkts encaps: 1595, #pkts encrypt: 1595, #pkts digest: 1595

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 1595, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 211.24.X.X/4500, remote crypto endpt.: 175.141.X.X/4500

      path mtu 1492, ipsec overhead 66(44), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: FC699E19

      current inbound spi : FFFCF744

    inbound esp sas:

      spi: 0xFFFCF744 (4294768452)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 1, IKEv1, }

         slot: 0, conn_id: 462848, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3915000/22042)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0xFC699E19 (4234780185)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 1, IKEv1, }

         slot: 0, conn_id: 462848, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914825/22042)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

ASA5515X

ASA Version 9.1(1)

!

hostname ASA5515X

!

interface GigabitEthernet0/0

description TIMEFibre

nameif outside

security-level 0

pppoe client vpdn group navision

ip address pppoe setroute

!

interface GigabitEthernet0/1

description Internal LAN

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 10.0.0.1 255.255.255.0

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 192.168.0.10

object network SVR001

host 192.168.0.13

description Hyper-V Server

object network SVR002

host 192.168.0.12

description SQL server

object network SVR003

host 192.168.0.10

description Domain COntroller

object network SVR004

host 192.168.0.11

description Terminal server

object network local

subnet 192.168.0.0 255.255.255.0

description MFW

object network remote-A

subnet 192.168.1.0 255.255.255.0

description FWSG

object network remote-B

subnet 192.168.2.0 255.255.255.0

description FWWW

object network remote-C

subnet 192.168.3.0 255.255.255.0

description FWFM

object network remote-D

subnet 192.168.4.0 255.255.255.0

description FWMP

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_cryptomap_10 extended permit ip object local object remote-B

access-list inside_access_in extended permit object-group TCPUDP any any

access-list inside_access_in extended permit icmp any4 any echo

access-list outside_access_in extended permit object-group TCPUDP any any

access-list inside_authentication extended permit tcp any any eq ssh

pager lines 24

logging enable

logging timestamp

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static local local destination static remote-A remote-A no-proxy-arp route-lookup inactive

nat (inside,outside) source static local local destination static remote-B remote-B no-proxy-arp route-lookup

!

object network SVR001

nat (any,outside) static interface service tcp 3389 50013

object network SVR002

nat (any,outside) static interface service tcp 3389 50012

object network SVR003

nat (any,outside) static interface service tcp 3389 50010

object network SVR004

nat (any,outside) static interface service tcp 3389 50011

!

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 211.24.199.129 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication match inside_authentication inside LOCAL

aaa authorization command LOCAL

http server enable

http 10.0.0.0 255.255.255.0 management

http authentication-certificate inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 10 match address outside_cryptomap_10

crypto map outside_map 10 set pfs group1

crypto map outside_map 10 set peer 175.141.X.X

crypto map outside_map 10 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 2

console timeout 0

vpdn group navision request dialout pppoe

vpdn group navision localname user@bb

vpdn group navision ppp authentication pap

vpdn username user@bb password ***** store-local

dhcpd address 192.168.0.100-192.168.0.200 inside

dhcpd dns 192.168.0.10 8.8.8.8 interface inside

dhcpd wins 192.168.0.10 interface inside

dhcpd enable inside

!

dhcpd address 10.0.0.100-10.0.0.110 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 175.141.X.X type ipsec-l2l

tunnel-group 175.141.X.X ipsec-attributes

ikev1 pre-shared-key *****

!

class-map icmp-class

match default-inspection-traffic

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map icmp_policy

class icmp-class

  inspect icmp

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

service-policy icmp_policy interface inside

prompt hostname context

(Behind a router)

ASA5505# sh crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 1, local addr: 172.16.10.200

      access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

      current_peer: 211.24.X.X

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1539, #pkts decrypt: 1539, #pkts verify: 1539

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.10.200/4500, remote crypto endpt.: 211.24.X.X/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: FFFCF744

      current inbound spi : FC699E19

    inbound esp sas:

      spi: 0xFC699E19 (4234780185)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 1, }

         slot: 0, conn_id: 348160, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4373831/22284)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xFFFCF744 (4294768452)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 1, }

         slot: 0, conn_id: 348160, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4374000/22284)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

ASA5505

ASA Version 8.2(5)

!

hostname ASA5505

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 3

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.10.200 255.255.255.0

!

interface Vlan3

no forward interface Vlan2

nameif management

security-level 0

ip address 10.0.0.1 255.255.255.0

management-only

!

ftp mode passive

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 172.16.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.2.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 211.24.X.X

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.2.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.2.100-192.168.2.130 inside

dhcpd dns 192.168.2.1 8.8.8.8 interface inside

dhcpd enable inside

!

dhcpd address 10.0.0.100-10.0.0.110 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 211.24.X.X type ipsec-l2l

tunnel-group 211.24.X.X ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Update:

The traffic to the other end is dropped by implicit rule but there already is an access-list configured no?

ASA5515X# sh crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 10, local addr: 211.24.X.X

      access-list outside_cryptomap_10 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

      current_peer: 175.141.X.X

      #pkts encaps: 30188, #pkts encrypt: 30188, #pkts digest: 30188

      #pkts decaps: 25550, #pkts decrypt: 25550, #pkts verify: 25550

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 30188, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 211.24.X.X/4500, remote crypto endpt.: 175.141.X.X/4500

      path mtu 1492, ipsec overhead 66(44), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: 7D03CD30

      current inbound spi : B2B16E15

    inbound esp sas:

      spi: 0xB2B16E15 (2997972501)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 1, IKEv1, }

         slot: 0, conn_id: 516096, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4371272/24996)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x7D03CD30 (2097401136)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 1, IKEv1, }

         slot: 0, conn_id: 516096, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4367450/24996)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

ASA5515X# packet-tracer input inside icmp 192.168.0.1 0 8 192.168.2.1 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff2a320c70, priority=1, domain=permit, deny=false

        hits=3417800, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static local local destination static remote-B remote-B no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.2.1/0 to 192.168.2.1/0

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff2a2b5580, priority=500, domain=permit, deny=true

        hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=192.168.0.1, mask=255.255.255.255, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

        input_ifc=inside, output_ifc=any

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Site to site VPN connectivity

Hi,

I noticed you use wrong format of the "packet-tracer" command actually

packet-tracer input inside icmp 8 0

And regarding the ASA5505 external ACL. It doesnt need one as by default the ASA allows any traffic incoming from VPN connection to bypass the interface ACL. I dont see the configuration having the command would change this default behaviour.

Can you issue the "packet-tracer" with the above correct Type/Code. You had them the wrong way around in the original command.

Could you also test the traffic between actual hosts and not the ASAs. Though the traffic from a host to the remote ASA "inside" IP address should also work.

With regards to the above it seems you have also changed the default inspection rules on the ASA5515-X unit since its not attached globally but to the "inside" interface. Not sure if it has any effect but I dont usually have a need to change them from the default.

- Jouni

22 REPLIES
New Member

Site to site VPN connectivity

Guys any feedback? I'm stuck here.

Super Bronze

Site to site VPN connectivity

Hi,

The "packet-tracer" fails because you use the ASA interface IP address as the source. You should use some random IP address belonging to the source network.

I assume that the ASA5505 behind the router has a Static NAT to the public IP address on the Router?

Will have to look at the configurations through but there should not be many things to look since the L2L VPN seems to have negotiated up. Perhaps a problem with NAT or even the Router infront of the ASA5505

- Jouni

Super Bronze

Site to site VPN connectivity

Your configurations seemed correct but the situation in the original post and after the update is different.

The first situation seems to suggest that the traffic from the ASA5515 got to the ASA5505 but there was no return traffic from behind that ASA. Looking at the configuration I would have to guess the problem in that case would have been on the actual hosts behind the ASA5505.

But in the updated information we can see that packets have both left to the L2L VPN and arrived from the L2L VPN connection so that would indicate that the L2L VPN would be able to pass traffic both ways.

What are you using to test the connection and where are you testing from or generating the traffic from?

- Jouni

New Member

Site to site VPN connectivity

And this is the current tunnel status;

ASA5515X#  sh crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 10, local addr: 211.24.199.129

      access-list outside_cryptomap_10 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

      current_peer: 175.141.249.29

      #pkts encaps: 5625, #pkts encrypt: 5625, #pkts digest: 5625

      #pkts decaps: 688, #pkts decrypt: 688, #pkts verify: 688

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 5625, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 211.24.199.129/4500, remote crypto endpt.: 175.141.249.29/4500

      path mtu 1492, ipsec overhead 66(44), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: 44265C30

      current inbound spi : 4B0CFB8A

    inbound esp sas:

      spi: 0x4B0CFB8A (1259142026)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 1, IKEv1, }

         slot: 0, conn_id: 12288, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4373944/27760)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x44265C30 (1143364656)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 1, IKEv1, }

         slot: 0, conn_id: 12288, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4373727/27760)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Super Bronze

Site to site VPN connectivity

Hi,

For you to be able to ICMP the "inside" interface on both units you will have to add this on both ASAs

management-access inside

It will allow to ICMP and connect with management connections to the "inside" interface through the L2L VPN connection.

- Jouni

Super Bronze

Site to site VPN connectivity

Hi,

You could also add this to the ASA5515-X "inside" interface ACL

access-list inside_access_in extended permit icmp any any echo

You could also add this on both ASA units

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

- Jouni

New Member

Site to site VPN connectivity

It's already on 5515X, I just added for 5505;

ASA5505(config)# sh run | inc icmp

access-list inside_access_in extended permit icmp any any echo

icmp unreachable rate-limit 1 burst-size 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  inspect icmp

  inspect icmp error

ASA5515X# sh run | inc icmp

access-list inside_access_in extended permit icmp any4 any echo

icmp unreachable rate-limit 1 burst-size 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

class-map icmp-class

policy-map icmp_policy

class icmp-class

  inspect icmp

  inspect icmp error

service-policy icmp_policy interface inside

Super Bronze

Site to site VPN connectivity

Hi,

I noticed you use wrong format of the "packet-tracer" command actually

packet-tracer input inside icmp 8 0

And regarding the ASA5505 external ACL. It doesnt need one as by default the ASA allows any traffic incoming from VPN connection to bypass the interface ACL. I dont see the configuration having the command would change this default behaviour.

Can you issue the "packet-tracer" with the above correct Type/Code. You had them the wrong way around in the original command.

Could you also test the traffic between actual hosts and not the ASAs. Though the traffic from a host to the remote ASA "inside" IP address should also work.

With regards to the above it seems you have also changed the default inspection rules on the ASA5515-X unit since its not attached globally but to the "inside" interface. Not sure if it has any effect but I dont usually have a need to change them from the default.

- Jouni

New Member

Site to site VPN connectivity

Hey Jouni,

That did it, wrong packet-tracer format and ICMP fix! Thanks!

ASA5515X#  packet-tracer input inside icmp 192.168.0.10 8 0 192.168.2.1

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static local local destination static remote-B remote-B no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.2.1/0 to 192.168.2.1/0

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit icmp any any echo

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static local local destination static remote-B remote-B no-proxy-arp route-lookup

Additional Information:

Static translate 192.168.0.10/0 to 192.168.0.10/0

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static local local destination static remote-B remote-B no-proxy-arp route-lookup

Additional Information:

Phase: 12

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 14

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 15

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 15971, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

ASA5505# packet-tracer input inside icmp 192.168.2.10 8 0 192.168.0.1

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip inside 192.168.2.0 255.255.255.0 outside 192.168.0.0 255.255.255.0

    NAT exempt

    translate_hits = 6013, untranslate_hits = 66418

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 1 (172.16.10.200 [Interface PAT])

    translate_hits = 4745, untranslate_hits = 448

Additional Information:

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 8

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 77234, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

But I still can't ping from 5515 inside interface to 5505?

ASA5515X(config)#  ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Super Bronze

Re: Site to site VPN connectivity

Hi,

The ASA will by default use the interface IP address of the interface closest to the destination as the source. In this case its naturally the "outside" so that results in the ICMP failing as expected.

It might work with

ASA5515-X

ping inside 192.168.2.1

ASA5505

ping inside 192.168.0.1

- Jouni

New Member

Site to site VPN connectivity

Thank you Jouni! You've been a great help to my blunder!

Super Bronze

Re: Site to site VPN connectivity

Hi,

Does it work now?

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

New Member

Site to site VPN connectivity

Could you also test the traffic between actual hosts and not the ASAs. Though the traffic from a host to the remote ASA

"inside"

IP address should also work.

Ohh and I'm not able to test from actual hosts right now. Only ASA to ASA.

Super Bronze

Re: Site to site VPN connectivity

Hi,

There arent really many ways to test directly from the ASA.

The "ping" commands I mentioned in the above reply should work.

- Jouni

New Member

Site to site VPN connectivity

Does it work now?

Please do remember to mark a reply as the correct answer if it answered your question.

It's working now, thank you!

I have marked the post above as correct answer.

New Member

Site to site VPN connectivity

Just added on both ASAs earlier today;

ASA5515X#  sh run management-access

management-access inside

ASA5505# sh run management-access

management-access inside

New Member

Site to site VPN connectivity

Thanks for the input Jouni. I changed to random source IP, was that what you meant? But still getting the same result. ASA5505 behind the router doesn't have static NAT, instead the ports are being forwarded from the router.

ASA5515X#  packet-tracer input inside icmp 192.168.0.10 0 8 192.168.2.1 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff2a320c50, priority=1, domain=permit, deny=false

        hits=5499, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static local local destination static remote-B remote-B no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.2.1/0 to 192.168.2.1/0

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff2a3f2790, priority=11, domain=permit, deny=true

        hits=2, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

        input_ifc=inside, output_ifc=any

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

New Member

Site to site VPN connectivity

The inside interface was unplugged during the initial testing before my update here.

I'm trying to ping the inside interface from both ends, i.e; 192.168.0.1 to 192.168.2.1 and vice versa.

Bronze

Site to site VPN connectivity

Actually a few issues here:

For the 5515:

I'm a little concerned about:

access-list outside_access_in extended permit object-group TCPUDP any any

...

access-group outside_access_in in interface outside

First it would allow any session from the internet to any internal client with any active translation, currently your traffic policy for incoming connections from the Internet is controlled only by the NAT statements.

Another thing: this ACL wouldn't allow the ICMP replies once you have fixed the other end.

access-list inside_access_in extended permit object-group TCPUDP any any

access-list inside_access_in extended permit icmp any4 any echo

...

access-group inside_access_in in interface inside

(I asume the "4" is some "residue" from sanitizing your config...)

Thjis access-list/group will only allow outbound echo request, your packet-tracer input generates an echo-reply

(see  http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml)

For the 5505:

There is no access-list/group at all permitting inbound VPN traffic. VPN traffic after being decapsulated/decrypted is handled like any other traffic originating from the outside destined for any inside target. Write an access-list/group permitting inbound VPN traffic.

New Member

Site to site VPN connectivity

Hi kafka,

The ACL for 5515 is only temp, as I attempting to fix this issue. And I have replaced the ICMP with

"extended permit icmp any any echo"

For 5505, I thought this line crypto map outside_map interface outside mapped the VPN to outside interface no?

Bronze

Site to site VPN connectivity

The ACL for 5515 is only temp, as I attempting to fix this issue. And I have replaced the ICMP with

"extended permit icmp any any echo"

I see, but I recommend to make more detailed ACL-entries when go productive.

For 5505, I thought this line crypto map outside_map interface outside mapped the VPN to outside interface no?

Actually yes, this is for the tunnel-transport, not necessarily for the tunnel payload.

But you seem to have the default (and hidden) sysopt connection permit-vpn, I forgot about the change of defaults (it was different in older versions). On the newer versions the tunnel payload is permitted by default, on older versions you had to permit the tunnel payload explicitly.

Rgds, MiKa

New Member

Site to site VPN connectivity

Got it, thanks for your input. Appreciate it

551
Views
0
Helpful
22
Replies
CreatePlease to create content