sh crypto ipsec sa

interface: backup

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 197.255.63.181

      local ident (addr/mask/prot/port): (192.1.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)

      current_peer: 60.125.63.33, username: Hassan

      dynamic allocated peer ip: 192.168.2.1

      #pkts encaps: 9601, #pkts encrypt: 9601, #pkts digest: 9601

      #pkts decaps: 10336, #pkts decrypt: 10336, #pkts verify: 10336

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 9601, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 197.1.1.1/4500, remote crypto endpt.: 197.1.1.1/4500

      path mtu 1500, ipsec overhead 82, media mtu 1500

      current outbound spi: 0351A70F

      current inbound spi : C41E3EEF

    inbound esp sas:

      spi: 0xC41E3EEF (3290316527)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 782

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x0351A70F (55682831)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 781

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001                        

debug icmp trace

reply is hitting the ASA but cant ping the inside network

Hi,

Please remove the following lines with the "no" command:

nat (inside,outside) source static NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup

nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup

nat (inside,backup) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup

And add the following commands:

object network obj-192.168.200.0_24

subnet 192.168.200.0 255.255.255.0

!

nat (inside,backup) source static obj-192.168.200.0_24 obj-192.168.200.0_24 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup

Then please place a capture:

capture cap_backup1 interface backup match ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0

capture cap_backup1 interface backup match ip 192.168.202.0 255.255.255.0 192.168.2.0 255.255.255.0

Run  "clear crypto ipsec sa counters" and try to access the 192.168.202.0/24 &  192.168.202.0/24  network  with a ping (if allowed) through the tunnel, please attach these outputs:

1- show crypto ipsec sa

2- show capture cap_backup

3- show capture cap_backup1

Thanks       

Hello,

i reconfigured everything again and its from this new config i got the "sh crypto ipsec sa" and the ping in my previous post, pleasee discard the first config, let us work with this new one.

we have two LAN----192.168.200.0 and 192.168.202.0 but i still cant ping the my two LAN IPs from VPN client. i have some questions to ask

1. do i need to permit traffic from VPN to inside IPs.?

2. my two LAN subnets is already bridged, what might go wrong inside this config.

3. need thorough checking on this config because i have been battling with it for almost 60hours now.

4.new config below, is there anything wrong inside this config?

5. Note: i can ping the LAN and public leg from VPN but cant ping inside.

Thanks

config below;

______________________________________________________________________________________________________

ASA Version 8.3(1)

!

hostname horse

domain-name evergreen.com

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

description LAN

nameif inside

security-level 100

ip address 192.168.202.100 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 196.1.1.1 255.255.255.248

!

interface GigabitEthernet0/2

nameif backup

security-level 0

ip address 197.1.1.1 255.255.255.248

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

boot system disk0:/asa831-k8.bin

boot system disk0:/asa707-k8.bin

ftp mode passive

clock timezone WAT 1

dns server-group DefaultDNS

domain-name greatbrandsng.com

same-security-traffic permit inter-interface

object network NETWORK_OBJ_192.168.2.0_25

subnet 192.168.2.0 255.255.255.128

object-group network DM_INLINE_NETWORK_1

network-object 192.168.200.0 255.255.255.0

network-object 192.168.202.0 255.255.255.0

access-list INSIDE_OUT extended permit tcp 192.168.202.0 255.255.255.0 any

access-list INSIDE_OUT extended permit tcp 192.168.200.0 255.255.255.0 any

access-list INSIDE_OUT extended permit tcp 192.168.2.0 255.255.255.0 any

access-list OUTSIDE_IN extended permit icmp any any

access-list gbnl1234_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0

access-list gbnl1234_splitTunnelAcl standard permit 192.168.202.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu backup 1500

ip local pool GBNLVPNPOOL 192.168.2.0-192.168.2.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

nat (inside,backup) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25

!

nat (inside,outside) after-auto source dynamic any interface

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 196.1.1.2 1 track 10

route backup 0.0.0.0 0.0.0.0 197.1.1.2 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable 441

http 192.168.200.0 255.255.255.0 inside

http 192.168.202.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 100

type echo protocol ipIcmpEcho 196.1.1.2 interface outside

timeout 3000

frequency 5

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map backup_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map backup_map interface backup

crypto isakmp enable backup

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

!

track 10 rtr 100 reachability

telnet 192.168.200.0 255.255.255.0 inside

telnet 192.168.202.0 255.255.255.0 inside

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.202.0 255.255.255.0 inside

ssh 192.168.200.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy gbnl1234 internal

group-policy gbnl1234 attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value gbnl1234_splitTunnelAcl

default-domain value greatbrandsng.com

username gbnl password BoEFKkDtbnX5Uy1Q encrypted privilege 15

tunnel-group gbnl1234 type remote-access

tunnel-group gbnl1234 general-attributes

address-pool GBNLVPNPOOL

default-group-policy gbnl1234

tunnel-group gbnl1234 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:8f7dad0c62c03cb7ae312b3700ee086a

Hi,

i have not gone back to where the device is but do you still want me to add the config in your previous post and the new post?

check below:

And add the following commands:

object network obj-192.168.200.0_24

subnet 192.168.200.0 255.255.255.0

!

nat (inside,backup) source static obj-192.168.200.0_24 obj-192.168.200.0_24 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup

Then please place a capture:

capture cap_backup1 interface backup match ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0

capture cap_backup1 interface backup match ip 192.168.202.0 255.255.255.0 192.168.2.0 255.255.255.0

Run  "clear crypto ipsec sa counters" and try to access the 192.168.202.0/24 &  192.168.202.0/24  network  with a ping (if allowed) through the tunnel, please attach these outputs:

1- show crypto ipsec sa

2- show capture cap_backup

3- show capture cap_backup1

Please, let me know.

Thanks

Hello,

Thanks for your command and trick...+5, i can access LAN users now but inside users cannot browse the internet. i think the global is in my config. below is the (show crypto ipsec sa and show capture cap_backup);

show crypto ipsec sa

interface: backup

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 197.1.1.1

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.2.2/255.255.255.255/0/0)

      current_peer: 197.1.1.1, username: Hassan

      dynamic allocated peer ip: 192.168.2.2

      #pkts encaps: 1819, #pkts encrypt: 1819, #pkts digest: 1819

      #pkts decaps: 1039, #pkts decrypt: 1039, #pkts verify: 1039

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 1819, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 197.1.1.1/4500, remote crypto endpt.: 197.1.1.1/1828

      path mtu 1500, ipsec overhead 82, media mtu 1500

      current outbound spi: CF60F145

      current inbound spi : C2AA800C

    inbound esp sas:

      spi: 0xC2AA800C (3265953804)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 81920, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 27971

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xA7FE681F 0xE3FEEEEF

    outbound esp sas:

      spi: 0xCF60F145 (3479236933)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 81920, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 27969

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 197.1.1.1

      local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)

      current_peer: 197.1.1.1, username: Hassan

      dynamic allocated peer ip: 192.168.2.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 197.1.1.1/4500, remote crypto endpt.: 197.1.1.1/4500

      path mtu 1500, ipsec overhead 82, media mtu 1500

      current outbound spi: 0531E413

      current inbound spi : 0ECC9791

    inbound esp sas:

      spi: 0x0ECC9791 (248289169)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 86016, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 3250

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x0531E413 (87155731)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 86016, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 3245

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 197.1.1.1

      local ident (addr/mask/prot/port): (192.168.202.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)

      current_peer: 197.1.1.1, username: Hassan

      dynamic allocated peer ip: 192.168.2.1

      #pkts encaps: 2017, #pkts encrypt: 2016, #pkts digest: 2016

      #pkts decaps: 2205, #pkts decrypt: 2205, #pkts verify: 2205

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 2017, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 197.1.1.1/4500, remote crypto endpt.: 197.1.1.1/4500

      path mtu 1500, ipsec overhead 82, media mtu 1500

      current outbound spi: 059ABD4A

      current inbound spi : 0F47C499

    inbound esp sas:

      spi: 0x0F47C499 (256361625)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 86016, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 3225

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x9E02FD00 0x3FB73FFA

    outbound esp sas:

      spi: 0x059ABD4A (94027082)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 86016, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 3220

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001      

________________

sh capture cap_backup

0 packet

0

Hi!

I am glad to hear that, thanks for rating the answer

On the other hand, please attach a packet-tracer from an inside IP to the Internet, probably 4.2.2.2. It will let us know whether the FW is dropping the traffic or not.

Thanks in advance.

Hello,

just a quick one,

TOPOLOGY

ASA ISP1---------197.1.1.1-----------outside

ASA ISP2---------196.1.1.1-----------backup

LAN IP-------------192.168.202.100---inside

i have configured Tunnel on both (outside and backup) interfaces but is thare a way to bind the two public legs to serve as one as a redundancy for vpn users and let vpn tunnel users point to the inside IP whenever they want to establish vpn sssion, we want it to be one so if one interface fails vpn users will not know but it will try the second for connection. instead of creating profile for the two outside leg on vpn client.

is it possible?

Hello Javiar,

I'm running into similar kind of issue. The config I'm working with is very little. Please advise.

Thanks