Link to home
Create AccountLog in
Avatar of FIFBA
FIFBA

asked on

Site to Site VPN Problem between ASA 5505's.

I'm having quite a time getting a site to site VPN to work properly. I've done dozens and dozens of these but am hitting a wall.

There are 3 sites involved...2 sites have ASA 5505's running 8.2.1, 1 site has an 871. I'm not concerned about site 3 just yet...one thing at a time.

Site HQ has a Cisco 5505 and a site-to-site to the other 2 locations. Site 1 has a 5505 also. All locations have a remote access VPN set up which is working fine.

It seems that I can get the tunnel up but cannot pass traffic. Note that nat-traversal is set. Unfortunately, I don't have terminal access right now (can only access ASDM). The ASDM indicates that the tunnels are up but I am unable to ping anything. I am pinging from BEHIND the HQ ASA trying to ping the ASA at Site1. This ASA is configured for management access and allows http from the HQ subnet so I should be able to ping ok.

HQ is behind the ISP's Adtran (which I suspect is the problem). Site1 is behind a different ISP's modem.

I'm attaching the configs below. Again, I'm able to connect using VPN client just fine, just can't pass traffic over the site to site link. I don't know my way around ASDM very well but when I look at the monitoring of the VPN, it appears data is transmitted but not received.

Thanks for any help!


ASA Version 8.2(1) 
!
hostname HQ
domain-name default.domain.invalid
enable password JULc0D54xAOfM.Av encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0 
!
interface Vlan11
 nameif outside
 security-level 0
 ip address x.x.x.50 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 11
!
interface Ethernet0/1
 switchport access vlan 10
!
interface Ethernet0/2
 switchport access vlan 10
!
interface Ethernet0/3
 switchport access vlan 10
!
interface Ethernet0/4
 switchport access vlan 10
!
interface Ethernet0/5
 switchport access vlan 10
!
interface Ethernet0/6
 switchport access vlan 10
!
interface Ethernet0/7
 switchport access vlan 10
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone cdt -6
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service VOIP_range udp
 port-object range 30000 30128
 port-object range 40000 40128
access-list outside_in extended permit tcp any any eq 6000 
access-list outside_in extended permit udp any any eq 6000 
access-list outside_in extended permit udp any any object-group VOIP_range 
access-list outside_in extended permit udp any any eq sip 
access-list outside_in extended permit tcp any any eq 6100 
access-list outside_in extended permit tcp any any eq 5090 
access-list outside_in extended permit tcp any any eq 5003 
access-list outside_in extended permit tcp any any eq telnet 
access-list outside_in extended permit icmp any any echo-reply 
access-list VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.32.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.32.0 255.255.255.0 
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 10.10.10.1-10.10.10.11 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 6000 192.168.0.200 6000 netmask 255.255.255.255 
static (inside,outside) udp interface 6000 192.168.0.200 6000 netmask 255.255.255.255 
static (inside,outside) udp interface sip 192.168.0.200 sip netmask 255.255.255.255 
static (inside,outside) tcp interface 6100 192.168.0.200 6100 netmask 255.255.255.255 
static (inside,outside) tcp interface 5090 192.168.0.200 5090 netmask 255.255.255.255 
static (inside,outside) tcp interface 5003 192.168.0.200 5003 netmask 255.255.255.255 
static (inside,outside) udp interface 30000 192.168.0.201 30000 netmask 255.255.255.255 

<output omitted> Static NAT entries like line above for ports 30001-30128 and 40000-40128

static (inside,outside) tcp interface telnet 192.168.0.202 telnet netmask 255.255.255.255 
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.241 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer x.x.x.193 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.28
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
 dns-server value 192.168.0.3
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 default-domain value mydomain.local

username name password hEW3mUlrZUPW/gd/ encrypted privilege 15
username name attributes
 vpn-group-policy RemoteAccess

tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
 address-pool VPNPool
 default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.241 type ipsec-l2l
tunnel-group x.x.x.241 ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.193 type ipsec-l2l
tunnel-group x.x.x.193 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:a3f1170a74bf13a4098b36380571d16f
: end

Open in new window

ASA Version 8.2(1) 
!
hostname Site1
domain-name default.domain.invalid
enable password JULc0D54xAOfM.Av encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0 
!
interface Vlan11
 nameif outside
 security-level 0
 ip address x.x.x.193 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 11
!
interface Ethernet0/1
 switchport access vlan 10
!
interface Ethernet0/2
 switchport access vlan 10
!
interface Ethernet0/3
 switchport access vlan 10
!
interface Ethernet0/4
 switchport access vlan 10
!
interface Ethernet0/5
 switchport access vlan 10
!
interface Ethernet0/6
 switchport access vlan 10
!
interface Ethernet0/7
 switchport access vlan 10
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone cdt -6
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service VOIP_range udp
 port-object range 30000 30128
 port-object range 40000 40128
access-list outside_in extended permit tcp any any eq 6000 
access-list outside_in extended permit udp any any eq 6000 
access-list outside_in extended permit udp any any object-group VOIP_range 
access-list outside_in extended permit udp any any eq sip 
access-list outside_in extended permit tcp any any eq 6100 
access-list outside_in extended permit tcp any any eq 5090 
access-list outside_in extended permit tcp any any eq 5003 
access-list outside_in extended permit tcp any any eq https 
access-list outside_in extended permit icmp any any echo-reply 
access-list VPN_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0 
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 10.10.10.1-10.10.10.11 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 6000 192.168.3.200 6000 netmask 255.255.255.255 
static (inside,outside) udp interface 6000 192.168.3.200 6000 netmask 255.255.255.255 
static (inside,outside) udp interface sip 192.168.3.200 sip netmask 255.255.255.255 
static (inside,outside) tcp interface 6100 192.168.3.200 6100 netmask 255.255.255.255 
static (inside,outside) tcp interface 5090 192.168.3.200 5090 netmask 255.255.255.255 
static (inside,outside) tcp interface 5003 192.168.3.200 5003 netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.3.200 https netmask 255.255.255.255 
static (inside,outside) udp interface 30000 192.168.3.200 30000 netmask 255.255.255.255 

<output omitted> Static NAT entries like line above for ports 30001-30128 and 40000-40128

access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.198 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.50 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 68.87.72.130 68.87.77.130
dhcpd ping_timeout 750
!
dhcpd address 192.168.3.100-192.168.3.110 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.28
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
username name password hEW3mUlrZUPW/gd/ encrypted privilege 15
username name attributes
 vpn-group-policy RemoteAccess

tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
 address-pool VPNPool
 default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.50 type ipsec-l2l
tunnel-group x.x.x.50 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect pptp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:5c945c9844114ad2e080096d4593a4ff
: end

Open in new window

Avatar of Sun12345
Sun12345
Flag of United States of America image

Looks like you have added NAT exempt on outside interface access weill.
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

Try deleting it from both side and check what happend. One more thing, when on ADMS, go to log viewer and then disconnect the tunnel. Ping from one end to another to see if the tunnel is throuwing any error. This should be helpful to understand if tunnel did not come up fine.
Avatar of FIFBA
FIFBA

ASKER

Correct me if I'm wrong but don't I need that NAT exempt statement so that a host behind HQ firewall (192.168.0.1) does not look like a public IP from Site1's perspective? (i.e. I want host 192.168.0.1 to be able to ping  host 192.168.3.1 and vice versa.
You do need it however only on the inside interface. When you ping from one LAN, the traffice is intercepted by the LAN interface. I have seen site to site tunnel behave all sort of different behavior with any thing configued extra.

As I suggested earlier, try removing it. It should be just few clicks to add it back if you want to.
Avatar of FIFBA

ASKER

That breaks the tunnel. Also, the packets coming from 192.168.0.3 (my test pc behind firewall) are being NAT'd to the public IP which, of course, would prevent the site1 firewall from accepting the packets.
Avatar of FIFBA

ASKER

I added the NAT exempt lines back. When I look at the VPN monitoring in the ASDM, I see that HQ has Tx packets 1320 and Rx packets 0. Site1 has 0 Tx and Rx. To me this indicates that traffic from HQ is not hitting Site1. Is this correct? I'm thinking this must indicate that the ISP's box (which is our next hop at HQ) is denying packets somehow? I'm not sure if this makes sense, though, since Phase 2 IKE is completing successfully. Any thoughts?

ASKER CERTIFIED SOLUTION
Avatar of Sun12345
Sun12345
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Are the clients and severs using the cisco vpn appliances as their gateway? If not, there will need to be some static routes created on the other router or statically added to the clients individually so they can communicate with the other subnets.
Avatar of FIFBA

ASKER

The ASA's are the gateways for all clients at all locations. IKE phase 2 is completing so there are no routing issues.
Avatar of FIFBA

ASKER

lrmoore???
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of FIFBA

ASKER

I have tried (unsuccessfully) to access the Site1 ASDM from behind the HQ firewall. This should be allowed since I have the management-access inside command on the Site1 ASA and have included HQ's subnet in the http commands on Site1 ASA.  I really should be able to ping Site1's ASA from behind HQ's firewall.
Avatar of FIFBA

ASKER

When at Site1, I am able to successfully ping HQ. During this time, I can ping the Site1 ASA (and anything else at Site1) from a device behind the HQ firewall. If I break the tunnel (clear isakmp sa), I am unable to ping Site1 from HQ until I bring the tunnel up from Site1.

So it looks like the VPN only works when traffic is initiated from Site1.
Avatar of FIFBA

ASKER

I'm still unable to resolve this. I am in workaround mode since I can at least get the tunnel working if site1 initiates traffic, but I need to get this solved and am at a dead end. Is anyone able to offer any suggestions?
What kind of firewall is the HQ firewall?

Can you post a debug log from the ASA that will not initiate the connection? This will allow us to see where it's hanging up.

@Sun12345 could be on to something with the NAT exemption.
Avatar of FIFBA

ASKER

The HQ firewall is an ASA 5505 running 8.2.1. I will have to go onsite to get the debugging info...not sure when I will be able to do this.
Avatar of FIFBA

ASKER

No one is monitoring this so I'm going to drop off. I'll award points as I have been able to isolate the problem based on the your feedback.