07-03-2012 06:08 AM
Hello,
We need to connect from an external computer connected by cisco-vpn-client to one internal server that is behind an ASA 5505 config with Easy VPN. The VPN connection with the client to our 5520 firewall is fine, but when I try to connect to the server on the LAN, FW log says:
Routing failed to locate next hop for TCP from Internet:172.17.1.215/1108 to Lan_Interna:172.33.0.50/3389 |
Attached image.
Can you help me?
Regards
David
Solved! Go to Solution.
07-05-2012 07:31 AM
Change the ACL to std on REMOTE_ITLISBOA profile
On ASA 5520 (main FW) if I run show cry ipsec sa peer 172.17.1.218 (that is the ip assigned to the remote computer connected by cisco-vpn-client profile REMOTE_ITLISBOA) the output is:
There are no ipsec sas for peer 172.17.1.218
The same if I run the command from FW to 172.33.0.254 (local IP of ASA 5505 REMOTE_LISBOA)
Regards
07-05-2012 07:35 AM
No, it should be the peer address (VPN termination address/public IP), not the local address.
07-05-2012 07:36 AM
ASA 5520 logging:
Routing failed to locate next hop for TCP from Internet:172.17.1.218/1069 to Lan_Interna:172.33.0.50/3389 |
172.33.0.50 is a server behind ASA 5505
07-05-2012 07:48 AM
Peer REMOTE_ITLISBOA:
peer address: 83.44.250.242
Crypto map tag: Internet_dyn_map, seq num: 20, local addr: 195.77.188.150
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.17.1.218/255.255.255.255/0/0)
current_peer: 83.44.250.242, username: SANTOSV
dynamic allocated peer ip: 172.17.1.218
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 195.77.188.150/4500, remote crypto endpt.: 83.44.250.242/1135
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 4B42BB21
current inbound spi : 4FD66423
inbound esp sas:
spi: 0x4FD66423 (1339450403)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 18817024, crypto-map: Internet_dyn_map
sa timing: remaining key lifetime (sec): 28754
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x4B42BB21 (1262664481)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 18817024, crypto-map: Internet_dyn_map
sa timing: remaining key lifetime (sec): 28754
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Peer REMOTE_LISBOA
There are no ipsec sas for peer 83.103.13.107
Thanks!
07-05-2012 07:53 AM
There is a number of incorrect NAT statements which should be removed:
nat (Lan_Interna,DMZ) source static INTRANET_LISBOA INTRANET_LISBOA no-proxy-arp
nat (Lan_Interna,any) source static INTRANET_LISBOA INTRANET_LISBOA destination static DMZ DMZ no-proxy-arp
nat (Lan_Interna,any) source static INTRANET_LISBOA INTRANET_LISBOA destination static VPN_REMOTE_ACCESS VPN_REMOTE_ACCESS no-proxy-arp
On the VPN Client route section, do you see the 2 routes, or there is just 1 route of 0.0.0.0?
Also, have you reconnected the ASA5505? if you have, how come there is no IPSec SA? there should be an IPSec SA for that peer, otherwise, it won't work. Can you access the main site from the ASA5505?
07-05-2012 08:07 AM
Sorry I copy/paste wrong peer IP. The results for REMOTE_LISBOA:
peer address: 87.103.13.107
Crypto map tag: Internet_dyn_map, seq num: 20, local addr: 195.77.188.150
local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (172.33.0.0/255.255.0.0/0/0)
current_peer: 87.103.13.107, username: LISBOA
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 356775, #pkts encrypt: 356775, #pkts digest: 356775
#pkts decaps: 565445, #pkts decrypt: 565445, #pkts verify: 565445
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 356775, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 195.77.188.150/4500, remote crypto endpt.: 87.103.13.107/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 93DE9FF8
current inbound spi : 89D46CF0
inbound esp sas:
spi: 0x89D46CF0 (2312400112)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map
sa timing: remaining key lifetime (sec): 21155
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x93DE9FF8 (2480840696)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map
sa timing: remaining key lifetime (sec): 21155
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: Internet_dyn_map, seq num: 20, local addr: 195.77.188.150
local ident (addr/mask/prot/port): (172.17.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.33.0.0/255.255.0.0/0/0)
current_peer: 87.103.13.107, username: LISBOA
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 195.77.188.150/4500, remote crypto endpt.: 87.103.13.107/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: FFFB45DD
current inbound spi : 1FAF3E00
inbound esp sas:
spi: 0x1FAF3E00 (531578368)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map
sa timing: remaining key lifetime (sec): 21155
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xFFFB45DD (4294657501)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map
sa timing: remaining key lifetime (sec): 21155
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: Internet_dyn_map, seq num: 20, local addr: 195.77.188.150
local ident (addr/mask/prot/port): (172.20.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (172.33.0.0/255.255.0.0/0/0)
current_peer: 87.103.13.107, username: LISBOA
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 1048971, #pkts encrypt: 1048971, #pkts digest: 1048971
#pkts decaps: 682079, #pkts decrypt: 682079, #pkts verify: 682079
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1048971, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 195.77.188.150/4500, remote crypto endpt.: 87.103.13.107/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 7D1ADFC3
current inbound spi : 18581F60
inbound esp sas:
spi: 0x18581F60 (408428384)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map
sa timing: remaining key lifetime (sec): 21155
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x7D1ADFC3 (2098913219)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map
sa timing: remaining key lifetime (sec): 21155
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: Internet_dyn_map, seq num: 20, local addr: 195.77.188.150
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.33.0.0/255.255.0.0/0/0)
current_peer: 87.103.13.107, username: LISBOA
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 236, #pkts encrypt: 236, #pkts digest: 236
#pkts decaps: 256, #pkts decrypt: 256, #pkts verify: 256
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 236, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 195.77.188.150/4500, remote crypto endpt.: 87.103.13.107/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 66520146
current inbound spi : 8723F6AB
inbound esp sas:
spi: 0x8723F6AB (2267281067)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map
sa timing: remaining key lifetime (sec): 21155
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x66520146 (1716650310)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map
sa timing: remaining key lifetime (sec): 21155
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: Internet_dyn_map, seq num: 20, local addr: 195.77.188.150
local ident (addr/mask/prot/port): (195.77.188.150/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
current_peer: 87.103.13.107, username: LISBOA
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 195.77.188.150/4500, remote crypto endpt.: 87.103.13.107/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 9EA2199F
current inbound spi : F9A8CA16
inbound esp sas:
spi: 0xF9A8CA16 (4188588566)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map
sa timing: remaining key lifetime (sec): 21152
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x9EA2199F (2661423519)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map
sa timing: remaining key lifetime (sec): 21152
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
07-05-2012 08:28 AM
Yeeessss!!! You got it!!!
Disabling this NAT rule, works:
INTRANET_LISBOA destination static VPN_REMOTE_ACCESS VPN_REMOTE_ACCESS no-proxy-arp
Thanks a lot Jennifer.
Regards
David
07-05-2012 08:35 AM
Excellent, thanks for the update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide