04-14-2014 05:10 AM
Hi Guys
I have a little problem I hope you can help me with.
I have a site to site LAN VPN connection up and running between a Cisco ASA 5512X and a Cisco 881 router running Zone Based Firewall. The tunnel comes up OK.
From the router:
MAGURELE-R#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
89.45.179.202 89.249.1.238 QM_IDLE 2098 ACTIVE
IPv6 Crypto ISAKMP SA
MAGURELE-R#
MAGURELE-R#sh crypto ipsec sa
interface: FastEthernet4
Crypto map tag: outside_map, local addr 89.45.179.202
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.201.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.255.0/0/0)
current_peer 89.249.1.238 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 15841, #pkts decrypt: 15841, #pkts verify: 15841
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 89.45.179.202, remote crypto endpt.: 89.249.1.238
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x6B607F06(1801486086)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x53D22529(1406281001)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: Onboard VPN:9, sibling_flags 80000040, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4284358/2828)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6B607F06(1801486086)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: Onboard VPN:10, sibling_flags 80000040, crypto map : outside_map
sa timing: remaining key lifetime (k/sec): (4284359/2828)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
MAGURELE-R#
I am sure the VPN settings is the same in both ends. But only traffic from the ASA side is passed.
I can see the traffic is comming trough from the ASA side on the router:
MAGURELE-R#sh log | i 10.2.0.254
*Apr 14 11:43:25.785: %SEC-6-IPACCESSLOGDP: list customer_access permitted icmp 10.2.0.254 -> 192.168.201.1 (0/0), 1 packet
*Apr 14 11:48:52.025: %SEC-6-IPACCESSLOGDP: list customer_access permitted icmp 10.2.0.254 -> 192.168.201.1 (0/0), 3 packets
*Apr 14 11:58:52.025: %SEC-6-IPACCESSLOGDP: list customer_access permitted icmp 10.2.0.254 -> 192.168.201.1 (0/0), 3 packets
MAGURELE-R#
But never no retur traffic.
Router IOS is: Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
I am kind of lost here. What might the problem be?
Regards
Mikkel
Solved! Go to Solution.
04-14-2014 06:02 AM
Had a quick look on your config. It seems that all traffics are being natted, I believe this is why the return traffic are not working/can't reach back to the ASA. You need to make sure traffics from 192.168.201.0/24 destined to 10.2.0.0/24 are not being natted by the router.
Change your ACL#199 to the following:
access-list 199 deny ip 192.168.201.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 199 permit ip any any
HTH,
04-14-2014 05:36 AM
The key bits of your configuration for the VPN are:
ip access-list extended customer permit ip 192.168.201.0 0.0.0.255 10.2.0.0 0.0.0.255 ip access-list extended customer_access permit ip any any log
crypto map outside_map 10 ipsec-isakmp set peer 89.249.1.238 set ip access-group customer_access in set transform-set SCADA match address customer
We see from the output you provided that the Phase 2 SA is established as desired but only decaps (incoming traffic) are observed - no encaps (outgoing traffic).
I may have missed it in your config file but I don't see a NAT exemption for the return traffic. Your NAT setup uses:
ip nat inside source list 199 interface FastEthernet4 overload
access-list 199 permit ip any any
We would typically look for something like:
ip nat inside source route-map nonat interface FastEthernet0 overload
route-map nonat permit 10 match ip address customer_access
...followed by the other NAT you have.
04-14-2014 06:25 AM
Hi Marvin
Thanks for the reply. I have tried to do the suggested. But with no luck:
MAGURELE-R# sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
89.45.179.202 89.249.1.238 QM_IDLE 2102 ACTIVE
IPv6 Crypto ISAKMP SA
MAGURELE-R#
MAGURELE-R# sh crypto ipsec sa
interface: FastEthernet4
Crypto map tag: outside_map, local addr 89.45.179.202
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.201.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.255.0/0/0)
current_peer 89.249.1.238 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 15874, #pkts decrypt: 15874, #pkts verify: 15874
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 89.45.179.202, remote crypto endpt.: 89.249.1.238
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0xA3ED461E(2750236190)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xEC584333(3965207347)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80000040, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4359504/3237)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA3ED461E(2750236190)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000040, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4359505/3237)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
MAGURELE-R#
MAGURELE-R#sh ip nat tra | i 10.2.0.254
icmp 89.45.179.202:67 192.168.201.240:67 10.2.0.254:67 10.2.0.254:67
tcp 89.45.179.202:3389 192.168.201.240:3389 10.2.0.254:62719 10.2.0.254:62719
MAGURELE-R#
It seems like the NAT is OK.
But still no encaps.
Any other suggestion?
Regards
Mikkel
04-14-2014 06:02 AM
Had a quick look on your config. It seems that all traffics are being natted, I believe this is why the return traffic are not working/can't reach back to the ASA. You need to make sure traffics from 192.168.201.0/24 destined to 10.2.0.0/24 are not being natted by the router.
Change your ACL#199 to the following:
access-list 199 deny ip 192.168.201.0 0.0.0.255 10.2.0.0 0.0.0.255 access-list 199 permit ip any any
HTH,
04-14-2014 06:30 AM
Hi Rudy
Thanks for the reply. That was it.
Regards
Mikkel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide