We help IT Professionals succeed at work.

Cisco Hell

400 Views
Last Modified: 2012-12-05
We are not CISCO people.  We spent all messing with a VPN.  
The VPN is up.  The REMOTE router (CCS IP:10.13.37.2) can ping the CISCO ASA (IP:10.161.56.250).  However nothing works past that.  I can only ping 10.161.56.250.  We are CCS at 10.13.37.0.

Any help or things people notice are weird or possible security issue please let me know.  We just took over this router and we don't know the current config.

Thanks for any and all help!
Comment
Watch Question

Sergsystem administrator

Commented:
Most likely, the error in the routing table. Show us config (in command line #sh run)

Author

Commented:
Sorry I though I attached it to the original.  Here you go. Thanks for the help!
running-config.txt
Sergsystem administrator

Commented:
You should not have published IP addresses, keys...
Sergsystem administrator

Commented:
(Sorry for my English)
Do I understand correctly that you started to reconfigure Cisco ASA (10.161.56.250) in order to connect the CCS network?
Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
Hi,

The config seems to be good..


PleaĆ­se provide us 'sh cry isa' and sh cry ips sa' commands output... I think 10.13.37.0 is the netwrok address of remote site..
Top Expert 2011

Commented:
Well, I could not find  an access-list on ASA that allow traffic from  CCS to 10.161.56.250

And what is your default gateway on both networks?

Author

Commented:
Result of the command: "sh cry isa"

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 207.190.***.***
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE 
2   IKE Peer: 173.162.***.***          <---VPN in question
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE 

Global IKE Statistics
Active Tunnels: 2
Previous Tunnels: 5
In Octets: 286900
In Packets: 3351
In Drop Packets: 5
In Notifys: 3310
In P2 Exchanges: 5
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 284592
Out Packets: 3356
Out Drop Packets: 0
Out Notifys: 6618
Out P2 Exchanges: 5
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 8
Initiator Tunnels: 2
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

Open in new window



Result of the command: "sh cry ips sa"

interface: outside
    Crypto map tag: outside_map, seq num: 3, local addr: 173.9.***.***

      access-list outside_3_cryptomap extended permit ip 10.161.56.0 255.255.255.0 10.13.37.0 255.255.255.0 
      local ident (addr/mask/prot/port): (10.161.56.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (CCS/255.255.255.0/0/0)
      current_peer: 173.162.***.***

      #pkts encaps: 87, #pkts encrypt: 87, #pkts digest: 87
      #pkts decaps: 87, #pkts decrypt: 87, #pkts verify: 87
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 87, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 173.9.***.***/4500, remote crypto endpt.: 173.162.***.***/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 014B2383
      current inbound spi : E1F89980

    inbound esp sas:
      spi: 0xE1F89980 (3791165824)
         transform: esp-des esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 24576, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 28624
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x014B2383 (21701507)
         transform: esp-des esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 24576, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 28624
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

    Crypto map tag: outside_map, seq num: 1, local addr: 173.9.***.***

      access-list outside_1_cryptomap extended permit ip 10.161.47.0 255.255.255.0 host 10.1.1.63 
      local ident (addr/mask/prot/port): (Gengras_net1/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (FSIMED/255.255.255.255/0/0)
      current_peer: 207.190.213.178

      #pkts encaps: 2168, #pkts encrypt: 2168, #pkts digest: 2168
      #pkts decaps: 8597, #pkts decrypt: 8597, #pkts verify: 8597
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2168, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 173.9.***.***/4500, remote crypto endpt.: 207.190.***.***/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: A6C08F00
      current inbound spi : 3584887E

    inbound esp sas:
      spi: 0x3584887E (897878142)
         transform: esp-3des esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4372784/23032)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xA6C08F00 (2797637376)
         transform: esp-3des esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373813/23032)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

Open in new window

Author

Commented:
CCS is the remote site.
Default gateway for CCS is 10.13.37.2
Default gateway for Local site is the CISCO ASA 10.161.56.250
Top Expert 2011
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
OK did that but no luck....any other ideas?
Sergsystem administrator

Commented:
(Sorry for my English)
Try to use "Packet tracer" from Cisco ASDM to modeling your situation. In your case, it can clearly shows where the problem is in.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.