Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN no Packets

Hi,

I'm trying to setup a VPN tunnel between two sites using an ASA5510 and a ASA5520.

I have successfull VPN establishment but i am unable to transfer packets accross. i want to be able to see the networks sitting behind the f/w LAN's but even the f/w LAN's cannot send packets to each other.

I have attached the two configs and a brief diagram.

Thanks.

17 REPLIES

Re: VPN no Packets

check your no-nat

HTH>

Community Member

Re: VPN no Packets

Hi,

Can you please be a bit more specific?

Thanks.

Re: VPN no Packets

Your encryption domains (interesting VPN traffic) do not match your no-nat config.

Community Member

Re: VPN no Packets

I've checked both configs there is no 'no-nat' reference.

is that what you mean, that no 'no-nat' rule exists?

Re: VPN no Packets

You do have a no-nat, you have it configured as on the 5510:-

nat (Inside) 0 access-list Inside_nat0_outbound

access-list Inside_nat0_outbound extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0

but you interesting acl on the 5510 is:-

access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3

The ACl's do not match.

Community Member

Re: VPN no Packets

Ah, so if i change it to:

access-list Outside_1_cryptomap extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0

The should pick it up as interesting traffic and will mathc the no-nat rule?

Re: VPN no Packets

yes - I would suggest you create another acl and name it something else, then you can switch between the two.

Community Member

Re: VPN no Packets

or, if i want to allow traffic from the LAN sitting behind each f/w LAN i can do:

nat (Inside) 0 access-list Inside_nat0_outbound

access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3

access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3

?

Community Member

Re: VPN no Packets

Did the update, no joy, VPN tunnel is still up bu no packets going through.

Re: VPN no Packets

Is your interesting traffic acl being hit? when you do a show crypto ipsec sa can you see packets being encrypted and decrypted at both sides?

Community Member

Re: VPN no Packets

both f/w are responding:

There are no ipsec sas

Community Member

Re: VPN no Packets

OK this is the output i got:

ASA5520:

LYV-LHC-ASA5520-01# sh crypto ipsec sa

interface: Outside

Crypto map tag: Outside_map, seq num: 1, local addr: 193.82.146.254

access-list Outside_1_cryptomap permit ip 172.24.107.0 255.255.255.0 172.16.54.0 255.255.255.0

local ident (addr/mask/prot/port): (172.24.107.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.54.0/255.255.255.0/0/0)

current_peer: 81.246.92.116

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 193.82.146.254, remote crypto endpt.: 81.246.92.116

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: E27A8077

inbound esp sas:

spi: 0x5E2B2FB6 (1579888566)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 45056, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (4374000/28765)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0xE27A8077 (3799679095)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 45056, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (4374000/28764)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

ASA5510:

interface: Outside

Crypto map tag: Outside_map, seq num: 1, local addr: 81.246.92.116

access-list Outside_1_cryptomap permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0

local ident (addr/mask/prot/port): (172.16.54.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.24.107.0/255.255.255.0/0/0)

current_peer: 193.82.146.254

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 81.246.92.116, remote crypto endpt.: 193.82.146.254

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 5E2B2FB6

inbound esp sas:

spi: 0xE27A8077 (3799679095)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 176128, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/28678)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x5E2B2FB6 (1579888566)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 176128, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/28678)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Re: VPN no Packets

Then you are either blocking or your routing is not correct or you interesting acl is wrong or your no-nat is wrong. I took some of your config into my lab with a pix 515 and ASA and put them back to back - with 2 routers on either side, this works:-

hostname FW0

int e0

nameif outside

ip address 1.1.1.1 255.255.255.0

no shut

int e1

nameif inside

ip address 172.16.51.250 255.255.255.0

no shut

!

access-list outside-in permit icmp any any echo-reply

access-list outside-in permit icmp any any traceroute

access-list outside-in permit icmp any any time-exceeded

access-list outside-in permit icmp any any unreachable

access-list vpn-tunnel extended permit ip 172.16.51.0 255.255.255.0 172.24.104.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.16.51.0 255.255.255.0 172.24.107.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.16.54.0 255.255.255.0 172.24.104.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.16.54.0 255.255.255.0 172.24.107.0 255.255.255.0

!

global (outside) 1 interface

nat (inside) 0 access-list vpn-tunnel

nat (inside) 1 172.16.0.0 255.255.0.0

!

route outside 0.0.0.0 0.0.0.0 1.1.1.1

route inside 172.16.54.0 255.255.255.0 172.16.51.254

route outside 172.24.104.0 255.255.255.0 1.1.1.1

route outside 172.24.107.0 255.255.255.0 1.1.1.1

!

access-group outside-in in interface outside

!

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map vpntunnel-outside 1 match address vpn-tunnel

crypto map vpntunnel-outside 1 set peer 2.2.2.2

crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1

!

crypto map vpntunnel-outside interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key cisco1234

!

end

**********************

hostname FW1

int e0

nameif outside

ip address 2.2.2.2 255.255.255.0

no shut

int e1

nameif inside

ip address 172.24.104.250 255.255.255.0

no shut

!

access-list outside-in permit icmp any any echo-reply

access-list outside-in permit icmp any any traceroute

access-list outside-in permit icmp any any time-exceeded

access-list outside-in permit icmp any any unreachable

access-list vpn-tunnel extended permit ip 172.24.104.0 255.255.255.0 172.16.51.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.24.104.0 255.255.255.0 172.16.54.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.24.107.0 255.255.255.0 172.16.51.0 255.255.255.0

access-list vpn-tunnel extended permit ip 172.24.107.0 255.255.255.0 172.16.54.0 255.255.255.0

!

global (outside) 1 interface

nat (inside) 0 access-list vpn-tunnel

nat (inside) 1 172.24.0.0 255.255.0.0

!

route outside 0.0.0.0 0.0.0.0 2.2.2.2

route inside 172.24.107.0 255.255.255.0 172.24.104.254

route outside 172.16.51.0 255.255.255.0 2.2.2.2

route outside 172.16.54.0 255.255.255.0 2.2.2.2

!

access-group outside-in in interface outside

!

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map vpntunnel-outside 1 match address vpn-usmay

crypto map vpntunnel-outside 1 set peer 1.1.1.1

crypto map vpntunnel-outside 1 set transform-set ESP-3DES-SHA1

!

crypto map vpntunnel-outside interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key cisco1234

!

end

Community Member

Re: VPN no Packets

I ran a packet trace and the ICMP was blocked on the 'Implicit Deny Rule' on the Inside interface of the ASA5520. I have a rule that allows all ICMP for that same interface so why is th implicit rule blocking packets?

Re: VPN no Packets

check your acl's - check check check your config.

Community Member

Re: VPN no Packets

I have checked the config, if it was somthing i'd spotted i would not have put up the post.

the whole point is that the VPN tunnel is up and i would like to get and opinion on why traffic is not being transfered accross.

Writing out the configs from scratch is not an options, unfortunatly and check check check does'nt help resolve the problem.

Community Member

Re: VPN no Packets

I've resolved the issue.

214
Views
0
Helpful
17
Replies
CreatePlease to create content