cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1211
Views
0
Helpful
17
Replies

VPN no Packets

Arif .
Level 1
Level 1

Hi,

I'm trying to setup a VPN tunnel between two sites using an ASA5510 and a ASA5520.

I have successfull VPN establishment but i am unable to transfer packets accross. i want to be able to see the networks sitting behind the f/w LAN's but even the f/w LAN's cannot send packets to each other.

I have attached the two configs and a brief diagram.

Thanks.

17 Replies 17

andrew.prince
Level 10
Level 10

check your no-nat

HTH>

Hi,

Can you please be a bit more specific?

Thanks.

Your encryption domains (interesting VPN traffic) do not match your no-nat config.

I've checked both configs there is no 'no-nat' reference.

is that what you mean, that no 'no-nat' rule exists?

You do have a no-nat, you have it configured as on the 5510:-

nat (Inside) 0 access-list Inside_nat0_outbound

access-list Inside_nat0_outbound extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0

but you interesting acl on the 5510 is:-

access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3

The ACl's do not match.

Ah, so if i change it to:

access-list Outside_1_cryptomap extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0

The should pick it up as interesting traffic and will mathc the no-nat rule?

yes - I would suggest you create another acl and name it something else, then you can switch between the two.

or, if i want to allow traffic from the LAN sitting behind each f/w LAN i can do:

nat (Inside) 0 access-list Inside_nat0_outbound

access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3

access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3

?

Did the update, no joy, VPN tunnel is still up bu no packets going through.

Is your interesting traffic acl being hit? when you do a show crypto ipsec sa can you see packets being encrypted and decrypted at both sides?

both f/w are responding:

There are no ipsec sas

OK this is the output i got:

ASA5520:

LYV-LHC-ASA5520-01# sh crypto ipsec sa

interface: Outside

Crypto map tag: Outside_map, seq num: 1, local addr: 193.82.146.254

access-list Outside_1_cryptomap permit ip 172.24.107.0 255.255.255.0 172.16.54.0 255.255.255.0

local ident (addr/mask/prot/port): (172.24.107.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.54.0/255.255.255.0/0/0)

current_peer: 81.246.92.116

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 193.82.146.254, remote crypto endpt.: 81.246.92.116

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: E27A8077

inbound esp sas:

spi: 0x5E2B2FB6 (1579888566)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 45056, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (4374000/28765)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0xE27A8077 (3799679095)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 45056, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (4374000/28764)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

ASA5510:

interface: Outside

Crypto map tag: Outside_map, seq num: 1, local addr: 81.246.92.116

access-list Outside_1_cryptomap permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0

local ident (addr/mask/prot/port): (172.16.54.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.24.107.0/255.255.255.0/0/0)

current_peer: 193.82.146.254

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 81.246.92.116, remote crypto endpt.: 193.82.146.254

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 5E2B2FB6

inbound esp sas:

spi: 0xE27A8077 (3799679095)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 176128, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/28678)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x5E2B2FB6 (1579888566)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 176128, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/28678)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Then you are either blocking or your routing is not correct or you interesting acl is wrong or your no-nat is wrong. I took some of your config into my lab with a pix 515 and ASA and put them back to back - with 2 routers on either side, this works:-

hostname FW0

int e0

nameif outside

ip address 1.1.1.1 255.255.255.0

no shut

int e1

nameif inside

ip address 172.16.51.250 255.255.255.0

no shut

!

access-list outside-in permit icmp any any echo-reply

access-list outside-in permit icmp any any traceroute

access-list outside-in permit icmp any any time-exceeded

access-list outside-in permit icmp any any unreachable

access-list vpn-tunnel extended permit ip 172.16.51.0 255.255.255.0 172.24.104.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.16.51.0 255.255.255.0 172.24.107.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.16.54.0 255.255.255.0 172.24.104.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0

!

global (outside) 1 interface

nat (inside) 0 access-list vpn-tunnel

nat (inside) 1 172.16.0.0 255.255.0.0

!

route outside 0.0.0.0 0.0.0.0 1.1.1.1

route inside 172.16.54.0 255.255.255.0 172.16.51.254

route outside 172.24.104.0 255.255.255.0 1.1.1.1

route outside 172.24.107.0 255.255.255.0 1.1.1.1

!

access-group outside-in in interface outside

!

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map vpntunnel-outside 1 match address vpn-tunnel

crypto map vpntunnel-outside 1 set peer 2.2.2.2

crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1

!

crypto map vpntunnel-outside interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key cisco1234

!

end

**********************

hostname FW1

int e0

nameif outside

ip address 2.2.2.2 255.255.255.0

no shut

int e1

nameif inside

ip address 172.24.104.250 255.255.255.0

no shut

!

access-list outside-in permit icmp any any echo-reply

access-list outside-in permit icmp any any traceroute

access-list outside-in permit icmp any any time-exceeded

access-list outside-in permit icmp any any unreachable

access-list vpn-tunnel extended permit ip 172.24.104.0 255.255.255.0 172.16.51.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.24.104.0 255.255.255.0 172.16.54.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.24.107.0 255.255.255.0 172.16.51.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.24.107.0 255.255.255.0 172.16.54.0 255.255.255.0

!

global (outside) 1 interface

nat (inside) 0 access-list vpn-tunnel

nat (inside) 1 172.24.0.0 255.255.0.0

!

route outside 0.0.0.0 0.0.0.0 2.2.2.2

route inside 172.24.107.0 255.255.255.0 172.24.104.254

route outside 172.16.51.0 255.255.255.0 2.2.2.2

route outside 172.16.54.0 255.255.255.0 2.2.2.2

!

access-group outside-in in interface outside

!

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map vpntunnel-outside 1 match address vpn-usmay

crypto map vpntunnel-outside 1 set peer 1.1.1.1

crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1

!

crypto map vpntunnel-outside interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key cisco1234

!

end

I ran a packet trace and the ICMP was blocked on the 'Implicit Deny Rule' on the Inside interface of the ASA5520. I have a rule that allows all ICMP for that same interface so why is th implicit rule blocking packets?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: