ASA to ASA VPN comes up but is blocking all traffic

sws153
sws153 used Ask the Experts™
on
I am trying to set up a site to site VPN between 2 cisco ASA 5505's.  The Tunnel comes up but I cannot send traffic either way.  SyS log shows the packets as being built, and then torn down.

Here is configuration on Main ASA:

: Saved
:
ASA Version 8.2(1)
!
hostname pfpasa
domain-name pittsburghforest.local
enable password * encrypted
passwd * encrypted
names
name 192.168.45.3 Exchange
name 10.1.1.2 outsideIP
name 10.20.30.20 Kraftmaid
name 10.30.40.10 LantekIP
name 192.168.45.160 MillLAN
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.45.1 255.255.255.192
!
interface Vlan2
 nameif outside
 security-level 0
 ip address outsideIP 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name pittsburghforest.local
object-group network ForeFrontIP
 network-object host 12.129.199.61
 network-object 12.129.20.0 255.255.255.0
 network-object host 12.129.219.155
 network-object host 206.16.57.70
 network-object 207.46.163.0 255.255.255.0
 network-object 207.46.51.64 255.255.255.192
 network-object 213.199.154.0 255.255.255.0
 network-object 213.244.175.0 255.255.255.0
 network-object 216.32.180.0 255.255.255.0
 network-object 216.32.181.0 255.255.255.0
 network-object 63.241.222.0 255.255.255.0
 network-object 65.55.88.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
 port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group network DM_INLINE_NETWORK_1
 network-object host LantekIP
 group-object ForeFrontIP
access-list outside_access_in extended permit icmp any host outsideIP
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host outsideIP eq smtp
access-list outside_access_in extended permit tcp any host outsideIP object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp host Kraftmaid host outsideIP object-group DM_INLINE_TCP_2
access-list muvpn_splitTunnelAcl standard permit 192.168.45.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.45.0 255.255.255.192 10.11.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.45.0 255.255.255.192 MillLAN 255.255.255.224
access-list outside_1_cryptomap extended permit ip 192.168.45.0 255.255.255.192 MillLAN 255.255.255.224
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNDefault 10.11.12.100-10.11.12.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255
static (inside,outside) tcp interface www Exchange www netmask 255.255.255.255
static (inside,outside) tcp interface https Exchange https netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.45.8 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.45.8 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.45.4 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.45.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 10.2.2.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.45.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy muvpn internal
group-policy muvpn attributes
 dns-server value 192.168.45.2 192.168.45.3
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value muvpn_splitTunnelAcl
 default-domain value pittsburghforest.local
tunnel-group muvpn type remote-access
tunnel-group muvpn general-attributes
 address-pool VPNDefault
 default-group-policy muvpn
tunnel-group muvpn ipsec-attributes
 pre-shared-key *
tunnel-group 10.2.2.2 type ipsec-l2l
tunnel-group 10.2.2.2 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:93caa49844d8093bec95a14f281b415a
: end
asdm image disk0:/asdm-621.bin
asdm location Exchange 255.255.255.255 inside
asdm location outsideIP 255.255.255.255 inside
asdm location Kraftmaid 255.255.255.255 inside
asdm location LantekIP 255.255.255.255 inside
asdm location MillLAN 255.255.255.224 inside
no asdm history enable





Here is the config for the Remote ASA:

: Saved
:
ASA Version 8.2(1)
!
hostname pfpmillasa
domain-name pittsburghforest.local
enable password * encrypted
passwd * encrypted
names
name 192.168.45.0 PFPPittNetwork
name 192.168.45.160 inside
name 10.2.2.2 outsideip
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.45.161 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address outsideip 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name pittsburghforest.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any host outsideip
access-list muvpn_splitTunnelAcl standard permit inside 255.255.255.224
access-list inside_nat0_outbound extended permit ip inside 255.255.255.224 10.11.13.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip inside 255.255.255.224 PFPPittNetwork 255.255.255.192
access-list outside_1_cryptomap extended permit ip inside 255.255.255.224 PFPPittNetwork 255.255.255.192
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool DefaultVPN 10.11.13.100-10.11.13.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.2.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http PFPPittNetwork 255.255.255.0 inside
http 192.168.46.0 255.255.255.0 inside
http 10.1.1.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 10.1.1.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.45.166-192.168.45.190 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd domain pittsburghforest.local interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy muvpn internal
group-policy muvpn attributes
 dns-server value 192.168.45.2 192.168.45.3
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value muvpn_splitTunnelAcl
 default-domain value pittsburghforest.local
tunnel-group muvpn type remote-access
tunnel-group muvpn general-attributes
 address-pool DefaultVPN
 default-group-policy muvpn
tunnel-group muvpn ipsec-attributes
 pre-shared-key *
tunnel-group 10.1.1.2 type ipsec-l2l
tunnel-group 10.1.1.2 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:335937683580339dcb105d6f5328ca83
: end
asdm image disk0:/asdm-621.bin
asdm location PFPPittNetwork 255.255.255.192 inside
asdm location inside 255.255.255.224 inside
asdm location outsideip 255.255.255.255 inside
no asdm history enable




Like I said, the VPN comes up, so the keys and encryption settings are good, I just can't get traffic bewteen the 192.168.45.0 255.255.255.192 and 192.168.45.160 255.255.255.224 networks.

Thanks in advance!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
your outsideIP is 10.1.1.2

but the route is set to 10.1.1.1(route outside 0.0.0.0 0.0.0.0 10.1.1.1 1)

if this info is not correct , please change it to real one

route outside 0.0.0.0 0.0.0.0 10.1.1.2 1

apparently can you ping other end ASA IP and know whether you are reachable?

hey please ignore my above comments....i was just confused...

hope your next hop device can reach each other end.

DanielSenior Network Architect Terminal Automation
Commented:
Hi,

check the subnetmask of the remote ASA first.
It's currently:
"ip address 192.168.45.161 255.255.255.0"
it should have a 255.255.255.224 subnet.

Regards,
Daniël

Author

Commented:
Ok.   I fixed that and still no go.
When i run the packet tracer on mainasa, and trace icmp from 192.168.45.1 to 192.168.45.161 traffic is permitted, but when I run the reverse on either ASA, it's blocked by the inside implicit rule any any deny deny.

Commented:
FOr some reason the implicit rule implemented in 8, doesn't like site to site using names or 3des.

Changed to IP's for all endpoints and aes and tunnel came up fine.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial