?
Solved

Cisco ASA 5505 Site to Site VPN cannot pass traffic

Posted on 2009-02-13
15
Medium Priority
?
1,293 Views
Last Modified: 2012-05-06
I have two ASA 5505's set up site to site. Site A is directly connected to the Internet with no devices in front of it. Site B has a PIX in front of it and a switch. The VPN tunnel is lit on Site B, however I cannot ping anything on Site A's side and the application we use cannot communicate. Syslog reports that Site A hosts attempts to set up a connection to Site B hosts but then the connection is torn down due to a SYN timeout. Obviously there is something blocking it. Here is the config from Site B:


ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name xxxxxx
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.157.57.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.5.40 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object tcp
access-list outside_1_cryptomap extended permit ip host 10.157.57.2 host 10.137.73.2 
access-list inside_nat0_outbound extended permit ip host 10.157.57.2 host 10.137.73.2 
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host 10.157.57.2 host 10.137.73.2 
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host 10.137.73.2 host 10.157.57.2 
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1  <---perimeter PIX
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.157.57.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context 
Cryptochecksum:a43133ef140ed1feb850fecd4ddbe2e6
: end

Open in new window

0
Comment
Question by:valicon
  • 9
  • 3
  • 2
  • +1
15 Comments
 
LVL 12

Author Comment

by:valicon
ID: 23636174
I should add that Site A works fine with other locations. It is just Site B that is the problem.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 23637271
Site B with the Pix is front of it is the issue.   Perhaps you should consider making the PIX the tunnel endpoint?    Otherwise, the PIX should have a static map and appropriate ACLs setup to pass all traffic the the ASA sitting behind it.  
0
 
LVL 12

Author Comment

by:valicon
ID: 23638213
Does the PIX see any VPN traffic?  I thought it did not. Should whatever is in the tunnel just pass through the tunnel and the PIX see only UDP 500 traffic from the tunnel?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:leibinusa
ID: 23639067
use command "show ipsec sa" to see if statistics for "encryped' "decrypted" increased.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 23641600
@leibinusa,
Welcome to the EE team! I'm impressed by your credentials and notice you're making quite a splash.
Good to have you around. Looking forward to collaborating with you as I'm sure we'll bump into each other a good bit.

@valicon,
You can setup Site A as EasyVPN server and ASA at Site B as EasyVPN client and you'll be golden. Just be sure to enable nat-traversal for the EasyVPN connection

0
 
LVL 12

Author Comment

by:valicon
ID: 23641814
Thanks for the responses. I wish I could use EasyVPN but I cannot change the config of Site A. Suggestions have been made to open ports on the perimeter PIX to allow traffic to the ASA, I already have a static mapping to that device on the perimeter PIX. I thought that with a site-to-site VPN, if there is a perimeter device, that the perimeter device cannot see any traffic coming across the ASA tunnel, so why do we need to put an acl on the perimeter device? I thought it would only see UDP 500 and encrypted traffic?  

The tunnel is up between the two ASA devices, the traffic is being blocked somewhere. With not being able to change the config on Site A, what would be the easiest way to get this going?  Thanks again :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 23642174
>outside_1_cryptomap extended permit ip host 10.157.57.2 host 10.137.73.2
These are the only two hosts that can communicate

> I cannot change the config of Site A
Site A is going to have to support nat-traversal

>The tunnel is up between the two ASA devices
Post result of "show cry ip sa"  from Site B

0
 
LVL 12

Author Comment

by:valicon
ID: 23651131
Here is the results of "show cry ip sa":

ciscoasa# sh cry ip sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 192.168.5.40

      access-list outside_1_cryptomap permit ip host 10.157.57.2 host 10.137.73.
2
      local ident (addr/mask/prot/port): (10.157.57.2/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.137.73.2/255.255.255.255/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 68, #pkts encrypt: 68, #pkts digest: 68
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 68, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.5.40, remote crypto endpt.: x.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: CC6C3CF4

    inbound esp sas:
      spi: 0x5E2FD22A (1580192298)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 358, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3825000/26638)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xCC6C3CF4 (3429645556)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 358, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3824995/26638)
         IV size: 8 bytes
         replay detection support: Y
0
 
LVL 12

Author Comment

by:valicon
ID: 23653440
What do you guys think?
0
 
LVL 4

Assisted Solution

by:leibinusa
leibinusa earned 1000 total points
ID: 23654098
You should use command "crypto isakmp nat-traversal" on both ends.
0
 
LVL 12

Author Comment

by:valicon
ID: 23655321
Site A works with other sites, except this one. They were all set up the same way. The only difference with Site B is that there is a perimeter PIX. Obviously this makes a difference? Could you clarify this for me:

I thought that with a site-to-site VPN, if there is a perimeter device, that the perimeter device cannot see any traffic coming across the ASA tunnel, so why do we need to put an acl on the perimeter device? I thought it would only see UDP 500 and encrypted traffic?  

Thanks for the replies :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 23655910
I repeat...
> I cannot change the config of Site A
Site A is going to have to support nat-traversal

Because Site B is sitting behind the PIX and the PIX is natting everything coming out that sites ASA, then there is no way to make this work unless Site A is configured to support nat-traversal
The perimeter PIX does not see any of the traffic inside the tunnel, but it is stil natting. The ASA only knows its own identity as its outside IP address, but the SiteA side sees it as the public IP of the PIX. Something has to compensate for that, and that is what nat-traversal does.
0
 
LVL 12

Author Comment

by:valicon
ID: 23676659
Got it. I will update this hopefully tomorrow as soon as I get access to Site A.  Thanks.
0
 
LVL 12

Author Comment

by:valicon
ID: 23688573
I added the command to both ASA's and still the same issue.  What should I tr next?
0
 
LVL 12

Author Comment

by:valicon
ID: 23712725
Got it!  Thanks for the help :)
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question