Solved

Cisc ASA 5510 to 5505 site-to-site VPN comes up but no traffic

Posted on 2010-09-10
5
532 Views
Last Modified: 2012-05-10
Can somebody please look at this config and see if I am missing something. It looks as though some sort of ACL is preventing traffic from going accross the tunnel. The tunnel stays up for a while and then goes down but no traffic ever goes through, no ping or anything.
ASA 5510 config:
asdm image disk0:/asdm-508.bin
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname NCxxx-ASA
domain-name ncxxx.org
enable password /eH2ZKYOc/sPIoHi encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xx.xx.xx.209 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.99 255.255.255.0
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
access-list 100 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_in extended permit tcp any any eq 4280
access-list outside_in extended permit tcp any any eq 4285
access-list outside_in extended permit tcp any any eq 4282
access-list outside_in extended permit tcp any any eq 407
access-list outside_in extended permit udp any any eq 407
pager lines 24
logging enable
logging class auth asdm alerts
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 4282 192.168.0.40 4282 netmask 255.255.255.255
static (inside,outside) tcp interface 4280 192.168.0.40 4280 netmask 255.255.255.255
static (inside,outside) tcp interface 4285 192.168.0.40 4285 netmask 255.255.255.255
static (inside,outside) tcp interface 407 192.168.0.40 407 netmask 255.255.255.255
static (inside,outside) udp interface 407 192.168.0.40 407 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.214 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
username nylex password 2JUThYXOonOAx0AP encrypted privilege 15
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer xx.xx.xx.98
crypto map outside_map 20 set transform-set myset
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group xx.xx.xx.98 type ipsec-l2l
tunnel-group xx.xx.xx.98 ipsec-attributes
 pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.200-192.168.0.254 inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 68.94.156.1 68.94.157.1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
Cryptochecksum:8e87cc6a232f491534b2f3ad84021702
: end
======
ASA 5505 config:
: Saved
:
ASA Version 7.2(4)
!
hostname ccityasa
domain-name ncid.local
enable password /eH2ZKYOc/sPIoHi encrypted
passwd /eH2ZKYOc/sPIoHi encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.99 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.98 255.255.255.248
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name ncid.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list nonnat extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface outside
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonnat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 68.185.20.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer xx.xx.xx.209
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh xx.xx.xx.96 255.255.255.248 outside
ssh xx.xx.xx.98 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.10-192.168.2.90 inside
dhcpd dns 208.67.222.222 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!

group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
tunnel-group xx.xx.xx.209 type ipsec-l2l
tunnel-group xx.xx.xx.209 ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:ece8c616a6a7267ddc13fcf4b36e893d
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
======

Show isakmp sa and show ipsec sa show the tunnel up, so does the ADSM screens on both side. Any help would be much appreciated. Thank you.
0
Comment
Question by:nylex
  • 3
5 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 33652078
Try applying on both ASA's

Use these commands in order to enable the correct sysopt command for your device:

    *      Cisco PIX 6.x and PIX/ASA 7.0

          pix(config)#sysopt connection permit-ipsec

    *      Cisco PIX/ASA 7.1(1) and later

          securityappliance(config)#sysopt connection permit-vpn

Note: If you do not wish to use the sysopt connection command, then you must explicitly permit the required traffic, which is interesting traffic from source to destination, for example, from LAN of remote device to LAN of local device and "UDP port 500" for outside interface of remote devie to outside interface of local device, in outside ACL.

Billy
0
 

Author Comment

by:nylex
ID: 33660223
Hi Billy;
added syspot option on bothside, no change - still no traffic. show access-list output show 0 hits on the nonat ACL. Shouldn't there be some hits listed for pings we are trying to send accross the VPN?
0
 
LVL 2

Expert Comment

by:slotb007
ID: 33660635
Is it not a routing problem?

Maybe you must add some static route to route the traffic in the tunnel.

What is the logging telling you?
0
 

Author Comment

by:nylex
ID: 33665103
Slotb007:
Both ASA's are default gateways on both sides, there are no other subnets to route the traffic to. From my experience the ASA would automatically add routing for traffic to the VPN subents. Isn't that true? What would a routing statment look like if I do have to add one?
0
 

Accepted Solution

by:
nylex earned 0 total points
ID: 33666884
I believe I have solved the problem. It was missing policy-map on CCityasa. Please close this question. Thank you.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now