[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Cisco ASA - ping opens VPN tunnel  but no IP traffic passe

Posted on 2010-03-23
18
Medium Priority
?
949 Views
Last Modified: 2012-06-27
I have noticed interesting bug on Cisco ASA equipment -, it happens only if we use Cisco ASA firewalls on both side of the VPN tunnel . So if I open tunnel with ping - no IP traffic passes, and if I opent it with IP traffic -then ICMP and IP passes through.
Has anybody noted such behaviour ?
0
Comment
Question by:Merdex
  • 6
  • 6
  • 6
18 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 28330831
Please show the configs!
did you set nonat statement?
0
 

Author Comment

by:Merdex
ID: 28332866
This is my standard config - I use it on both sides (of course I change peer and subnets in access lists). No nat is configured also ..

access-list inside_outbound_nat1 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list crypto_kamb1 extended permit icmp 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list crypto_kamb1 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat1

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA


crypto map outside_map 34 match address crypto_kamb1
crypto map outside_map 34 set pfs
crypto map outside_map 34 set peer 1.1.1.1
crypto map outside_map 34 set transform-set ESP-3DES-MD5

crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400


tunnel-group  1.1.1.1 type ipsec-l2l
tunnel-group  1.1.1.1 ipsec-attributes
 pre-shared-key *
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 28333276
whaere is the group policy?
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 

Author Comment

by:Merdex
ID: 28333587
think that this group policy only applies for remote access clients - but please check - that is all I have in the config.

threat-detection basic-threat
threat-detection statistics
group-policy DRXDRX internal
group-policy DRXDRX attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DRXDRX_splitTunnelAcl
group-policy TG internal
group-policy TG attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified


policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
 split-tunnel-network-list value TG_splitTunnelAcl
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 28333706
please provide us:

sh cry isa sa
sh cry ips sa
sh vpn-sessiondb l2l
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 28333747
Please define group policy for L2l
0
 

Author Comment

by:Merdex
ID: 28334861
I have about 30 tunnels so maybe I didn't copy everything correctly ...
How do I define policy for L2L - do you have a example?


18  IKE Peer: 1.1.1.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE


Crypto map tag: outside_map, seq num: 19, local addr: 2.2.2.2

      access-list crypto_mega permit ip host 2.2.2.2.2 host 1.1.1.1.
      local ident (addr/mask/prot/port): (2.2.2.2 /255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (1.1.1.1./255.255.255.255/0/0)
      current_peer: 91.199.161.3

      #pkts encaps: 2987, #pkts encrypt: 2987, #pkts digest: 2987
      #pkts decaps: 3570, #pkts decrypt: 3570, #pkts verify: 3570
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2987, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2., remote crypto endpt.: 1.1.1.1.

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 428A0C4A

    inbound esp sas:
      spi: 0xB8637B70 (3093527408)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 8798208, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (2984/1154)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x428A0C4A (1116343370)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 8798208, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (2984/1154)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: outside_map, seq num: 13, local addr: 2.2.2.2.





Session Type: LAN-to-LAN

Connection   : 1.1.1.1
Index        : 1518                   IP Addr      : 192.168.16.102
Protocol     : IKE IPsec
Encryption   : 3DES                   Hashing      : MD5
Bytes Tx     : 1221930834             Bytes Rx     : 2200190951
Login Time   : 09:10:48 UTC Fri Mar 19 2010
Duration     : 4d 2h:01m:07s



0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 28335456
it seems it is working:


      #pkts encaps: 2987, #pkts encrypt: 2987, #pkts digest: 2987
      #pkts decaps: 3570, #pkts decrypt: 3570, #pkts verify: 3570
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 28335637
group-policy remotevpn internal
group-policy remotevpn attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
tunnel-group  1.1.1.1 ipsec-attributes
 default-group-policy remotevpn
0
 

Author Comment

by:Merdex
ID: 28335980
Yes - it is working now because I started connection with IP traffic. This is a production enviroment so I cannot test right now.
What do I get with this group policy? - It seem that it works ok without it - do you think it will solve this issue?
0
 
LVL 5

Expert Comment

by:Markus Braun
ID: 28357796
i think you access-list inside_outbound_nat1
is missing the permit ICMP like you have it on your NAT0 access-l

you can do a "debug icmp trace"

and you will see what happens to your pings
0
 
LVL 5

Expert Comment

by:Markus Braun
ID: 28358135
basically add
access-list inside_outbound_nat1 extended permit icmp 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

to permit ICMP to pass the inside interface

or allow it period with "access-list inside_outbound_nat1 permit icmp any any" for testing purposes
and then limit it for the once you have to have e.g.

access-list inside_outbound_nat1 permit icmp any any echo
access-list inside_outbound_nat1 permit icmp any any echo-reply
access-list inside_outbound_nat1 permit icmp any any source-quench
access-list inside_outbound_nat1 permit icmp any any unreachable
access-list inside_outbound_nat1 permit icmp any any time-exceeded






0
 

Author Comment

by:Merdex
ID: 28358163
You maybe didn't understand my question - my ping works - always. It is just that when I start pinging, and VPN tunnel goes up, I cannot send any IP traffic through it - just ping (ICMP).

If I start my tunnel with IP traffic - everything is OK - ping work also....
0
 
LVL 5

Expert Comment

by:Markus Braun
ID: 28425172
Hi, ok i see
remove this access-list crypto_kamb1 extended permit icmp 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
but add this anyway
access-list inside_outbound_nat1 permit icmp any any echo
access-list inside_outbound_nat1 permit icmp any any echo-reply
access-list inside_outbound_nat1 permit icmp any any source-quench
access-list inside_outbound_nat1 permit icmp any any unreachable

if you permit IP in your NAT 0 access-list, ICMP is already allowed, all you need to do is allow it from the LAN side
access-list inside_outbound_nat1 permit icmp any any time-exceeded
0
 
LVL 5

Accepted Solution

by:
Markus Braun earned 2000 total points
ID: 28425424
Oops sorry, mixed something up cause of this

nat (inside) 0 access-list inside_outbound_nat1

since you named it nat1, it was confusing since the NAT0 statement means no nat and the NAT 1 means do nat.
so dont do this
access-list inside_outbound_nat1 permit icmp any any echo
access-list inside_outbound_nat1 permit icmp any any echo-reply
access-list inside_outbound_nat1 permit icmp any any source-quench
access-list inside_outbound_nat1 permit icmp any any unreachable
instead add it to your LANOUT access-list
if you explicitly permit ICMP in your crypto access-list, you also need to explicitly allow it in your NAT 0 access-list
or better just remove any ICMP access-list in your tunnel configuration since IP already includes ICMP
0
 
LVL 5

Expert Comment

by:Markus Braun
ID: 28425583
so this

access-list inside_outbound_nat1 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list crypto_kamb1 extended permit icmp 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list crypto_kamb1 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

needs to match -meaning it should look like this

access-list inside_outbound_nat1 extended permit icmp 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_outbound_nat1 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list crypto_kamb1 extended permit icmp 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list crypto_kamb1 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

but i recommend you change "inside_outbound_nat1" that to something that is logical like NONAT or inside_outbound_nat0
0
 

Author Comment

by:Merdex
ID: 28427576
Thanks for assistance - it seems that i had one access-list to much - so the one for ICMP is not needed.
0
 
LVL 5

Expert Comment

by:Markus Braun
ID: 28453889
Thanks for your grade, was a pleasure to assist you
0

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question