We help IT Professionals succeed at work.

Cisco ASA 5505 Site to Site VPN cannot pass traffic

valicon
valicon asked
on
Medium Priority
1,321 Views
Last Modified: 2012-05-06
I have two ASA 5505's set up site to site. Site A is directly connected to the Internet with no devices in front of it. Site B has a PIX in front of it and a switch. The VPN tunnel is lit on Site B, however I cannot ping anything on Site A's side and the application we use cannot communicate. Syslog reports that Site A hosts attempts to set up a connection to Site B hosts but then the connection is torn down due to a SYN timeout. Obviously there is something blocking it. Here is the config from Site B:


ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name xxxxxx
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.157.57.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.5.40 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object tcp
access-list outside_1_cryptomap extended permit ip host 10.157.57.2 host 10.137.73.2 
access-list inside_nat0_outbound extended permit ip host 10.157.57.2 host 10.137.73.2 
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host 10.157.57.2 host 10.137.73.2 
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host 10.137.73.2 host 10.157.57.2 
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1  <---perimeter PIX
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.157.57.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context 
Cryptochecksum:a43133ef140ed1feb850fecd4ddbe2e6
: end

Open in new window

Comment
Watch Question

CERTIFIED EXPERT

Author

Commented:
I should add that Site A works fine with other locations. It is just Site B that is the problem.
Top Expert 2010

Commented:
Site B with the Pix is front of it is the issue.   Perhaps you should consider making the PIX the tunnel endpoint?    Otherwise, the PIX should have a static map and appropriate ACLs setup to pass all traffic the the ASA sitting behind it.  
CERTIFIED EXPERT

Author

Commented:
Does the PIX see any VPN traffic?  I thought it did not. Should whatever is in the tunnel just pass through the tunnel and the PIX see only UDP 500 traffic from the tunnel?
use command "show ipsec sa" to see if statistics for "encryped' "decrypted" increased.
Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
@leibinusa,
Welcome to the EE team! I'm impressed by your credentials and notice you're making quite a splash.
Good to have you around. Looking forward to collaborating with you as I'm sure we'll bump into each other a good bit.

@valicon,
You can setup Site A as EasyVPN server and ASA at Site B as EasyVPN client and you'll be golden. Just be sure to enable nat-traversal for the EasyVPN connection

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
CERTIFIED EXPERT

Author

Commented:
Thanks for the responses. I wish I could use EasyVPN but I cannot change the config of Site A. Suggestions have been made to open ports on the perimeter PIX to allow traffic to the ASA, I already have a static mapping to that device on the perimeter PIX. I thought that with a site-to-site VPN, if there is a perimeter device, that the perimeter device cannot see any traffic coming across the ASA tunnel, so why do we need to put an acl on the perimeter device? I thought it would only see UDP 500 and encrypted traffic?  

The tunnel is up between the two ASA devices, the traffic is being blocked somewhere. With not being able to change the config on Site A, what would be the easiest way to get this going?  Thanks again :)
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
>outside_1_cryptomap extended permit ip host 10.157.57.2 host 10.137.73.2
These are the only two hosts that can communicate

> I cannot change the config of Site A
Site A is going to have to support nat-traversal

>The tunnel is up between the two ASA devices
Post result of "show cry ip sa"  from Site B

CERTIFIED EXPERT

Author

Commented:
Here is the results of "show cry ip sa":

ciscoasa# sh cry ip sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 192.168.5.40

      access-list outside_1_cryptomap permit ip host 10.157.57.2 host 10.137.73.
2
      local ident (addr/mask/prot/port): (10.157.57.2/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.137.73.2/255.255.255.255/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 68, #pkts encrypt: 68, #pkts digest: 68
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 68, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.5.40, remote crypto endpt.: x.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: CC6C3CF4

    inbound esp sas:
      spi: 0x5E2FD22A (1580192298)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 358, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3825000/26638)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xCC6C3CF4 (3429645556)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 358, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3824995/26638)
         IV size: 8 bytes
         replay detection support: Y
CERTIFIED EXPERT

Author

Commented:
What do you guys think?
You should use command "crypto isakmp nat-traversal" on both ends.
CERTIFIED EXPERT

Author

Commented:
Site A works with other sites, except this one. They were all set up the same way. The only difference with Site B is that there is a perimeter PIX. Obviously this makes a difference? Could you clarify this for me:

I thought that with a site-to-site VPN, if there is a perimeter device, that the perimeter device cannot see any traffic coming across the ASA tunnel, so why do we need to put an acl on the perimeter device? I thought it would only see UDP 500 and encrypted traffic?  

Thanks for the replies :)
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
I repeat...
> I cannot change the config of Site A
Site A is going to have to support nat-traversal

Because Site B is sitting behind the PIX and the PIX is natting everything coming out that sites ASA, then there is no way to make this work unless Site A is configured to support nat-traversal
The perimeter PIX does not see any of the traffic inside the tunnel, but it is stil natting. The ASA only knows its own identity as its outside IP address, but the SiteA side sees it as the public IP of the PIX. Something has to compensate for that, and that is what nat-traversal does.
CERTIFIED EXPERT

Author

Commented:
Got it. I will update this hopefully tomorrow as soon as I get access to Site A.  Thanks.
CERTIFIED EXPERT

Author

Commented:
I added the command to both ASA's and still the same issue.  What should I tr next?
CERTIFIED EXPERT

Author

Commented:
Got it!  Thanks for the help :)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.