?
Solved

Cisco ASA 8.3(1) LAN-to-LAN VPN No Packets

Posted on 2012-09-11
58
Medium Priority
?
2,340 Views
Last Modified: 2012-09-12
I am trying to create a LAN-to-LAN VPN between a Cisco ASA 5505 and another device. The tunnel comes up without error but there is absolutely no communication between the two LANs... absolutely no packets are being seen on either side. Can someone please look at my config for the ASA to see if any problems stick out. The second device in question, at the branch office, is hooked up with a 4G data card through Verizon Wireless.

ASA Inside (172.30.x.x) --> ASA Outside (67.xxx.xxx.xxx) --> [INTERNET] <-- VzW Outside (70.xxx.xxx.xxx) <-- Device II Outside (10.xxx.xxx.xxx) <-- Device II Inside (192.168.xxx.xxx)

ASA Version 8.3(1)
!
hostname ArgentASA
domain-name argent.local
enable xxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.30.1.5 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 67.xxx.xxx.194 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name argent.local
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object service Passive_FTP
 service tcp source range 5010 5030
object network OutsideIP
 host 67.152.116.195
object network FTP_Server
 host 172.30.1.250
object service FTP
 service tcp source eq ftp
object network vpnpool
 subnet 172.30.2.0 255.255.255.0
object network inside_network
 subnet 172.30.1.0 255.255.255.0
object network ECW
 subnet 192.168.1.0 255.255.255.0
object-group network group-inside-vpnclient
 network-object 172.30.1.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit tcp any object FTP_Server eq ftp
access-list outside_access_in extended permit tcp any object FTP_Server range 5010 5030
access-list outside_access_in extended permit ip 172.30.2.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool-vpnclient 172.30.2.10-172.30.2.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static FTP_Server OutsideIP service Passive_FTP Passive_FTP
nat (inside,outside) source static FTP_Server OutsideIP service FTP FTP
nat (inside,any) source static inside_network inside_network destination static vpnpool vpnpool
nat (inside,any) source static inside_network inside_network destination static ECW ECW
!
object network obj_any
 nat (inside,outside) dynamic interface
object network inside_network
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.xxx.xxx.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.30.1.0 255.255.255.0 inside
http 172.30.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set xform-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5 ESP-3DES-MD5
crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient
crypto map cmap-vpncient interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 3600
telnet timeout 5
ssh 172.30.1.0 255.255.255.0 inside
ssh 172.30.2.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 96.xxx.xxx.105 source outside
webvpn
group-policy Argent_RA internal
group-policy Argent_RA attributes
 banner value Welcome to Argent's VPN
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec
 password-storage disable
 re-xauth enable
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl-vpnclient
 default-domain value argent.LOCAL
group-policy ECW internal
group-policy ECW attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec
 pfs disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl-vpnclient
 default-domain value argent.LOCAL
username xxxxxx password xxxxxx/ encrypted privilege 15
tunnel-group DefaultL2LGroup general-attributes
 default-group-policy ECW
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *****
 peer-id-validate nocheck
 isakmp keepalive threshold 25 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 25 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 isakmp keepalive threshold 25 retry 2
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
 address-pool ippool-vpnclient
 default-group-policy Argent_RA
tunnel-group vpnclient ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 25 retry 2
!
class-map ftp-class
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
 class ftp-class
  inspect ftp
!
service-policy global_policy global
prompt hostname context
no compression svc http-comp

Open in new window


 Crypto map tag: dcmap-vpnclient, seq num: 1, local addr: 67.xxx.xxx.194

      local ident (addr/mask/prot/port): (67.xxx.xxx.194/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 70.xxx.xxx.14

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 67.xxx.xxx.194/0, remote crypto endpt.: 70.xxx.xxx.14/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 80B2506C
      current inbound spi : F1EEB24E

    inbound esp sas:
      spi: 0xF1EEB24E (4058952270)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 512000, crypto-map: dcmap-vpnclient
         sa timing: remaining key lifetime (sec): 27301
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x80B2506C (2159169644)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 512000, crypto-map: dcmap-vpnclient
         sa timing: remaining key lifetime (sec): 27177
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Open in new window

0
Comment
Question by:JBober14
  • 29
  • 19
  • 6
  • +2
58 Comments
 
LVL 3

Expert Comment

by:Heritage02Rider
ID: 38387630
What is the second device? Is it another ASA 5505?
0
 

Author Comment

by:JBober14
ID: 38387750
The other device is an ECW, a new product made by Ericsson. I am working with them on the issue but I figured if I could correct it with some help from experts-exchange that would be great.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38388041
What is your default gateways on both sides? Is it ASA and Ericsson device respectively?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 2

Expert Comment

by:Sepist
ID: 38388080
This is a dynamic to static Lan2Lan it looks like, so your side will need to have reverse route injection configured otherwise the remote subnet won't exist in your ASA's routing table:

"crypto dynamic-map dcmap-vpnclient 1 set reverse-route"

The far end not being able to reach you is most likely a natting issue but I couldn't confirm that just from seeing your side of the tunnel.
0
 

Author Comment

by:JBober14
ID: 38388092
ASA and Ericsson devices respectively. The Ericsson devices is using a 4G LTE card for connectivity so the IP addressing gets a little weird

ASA Inside: 172.30.1.5
ASA Outside GW: 67.xxx.xxx.193
ASA Outside IP (internet): 67.xxx.xxx.194

Ericsson Inside: 192.168.1.1
Ericsson Outside GW: 10.xxx.xxx.125
Ericsson Outside IP: 10.xxx.xxx.126
Internet IP Address: 70.xxx.xxx.14
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38388113
It is a routing issue then since you have 0 in you encapsulated packets. Try Sepists suggestion
0
 
LVL 3

Expert Comment

by:Heritage02Rider
ID: 38388132
The 4G LTE card will not always have the same IP. You need to setup an EZ VPN connection for the Ericsson device. Basically, the ASA must be a responder and the Ericsson the initiator.

Try using the EZ VPN wizard and I will bet you will have little or no difficulty. You will define the settings and the login credentials for the Ericsson and then on the Ericsson, create a VPN connection using whatever settings you set in the wizard.

I have done this with foreign systems before. it works great.
0
 

Author Comment

by:JBober14
ID: 38388134
I added "crypto dynamic-map dcmap-vpnclient 1 set reverse-route"

Still no love, I forgot about reverse route injection... and I cannot get any logs off the Ericsson device as of right now.
0
 
LVL 2

Expert Comment

by:Sepist
ID: 38388141
If you do "show route" on the ASA now do you see a route for the remote subnet? Did you clear the crypto tunnel and make it rebuild itself? If the route is in the table try pinging across and see if you see one way traffic on the show crypto ipsec sa command
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38388180
So if you check the logs on the ASA, does anything show when trying to set up the VPN?
0
 
LVL 3

Expert Comment

by:Heritage02Rider
ID: 38388187
reminder: Unless you have some specialized agreement with your 4G LTE ISP, anything you do will be worth nothing when the ISP changes the IP of the LTE card. I find they do this randomly and frequently enough that you will most likely run into within a short period of time.

If you use the dynamic approach whereby the Ericsson initiates the connection, you will not have to worry about the routing problems.
0
 

Author Comment

by:JBober14
ID: 38388285
To  Heritage02Rider: The connection will be initiated by the Ericsson device, due to the dynamic nature of the IP on that side I thought about the same issues.

To Sepist: I can see the 192 SN in place

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 67.xxx.xxx.193 to network 0.0.0.0

C    172.30.1.0 255.255.255.0 is directly connected, inside
C    67.xxx.xxx.192 255.255.255.248 is directly connected, outside
S    192.168.1.0 255.255.255.0 [1/0] via 67.xxx.xxx.193, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 67.xxx.xxx.193, outside

Open in new window



To erniebeek: Output from debug crypto isakmp and ipsec show phase 1 and 2 being completed, and static route for L2L peer coming in on a dynamic map. address: 192.168.1.0 mask: 255.255.255.0

--Still cannot ping back to the 192 SN from the 172 side the same outcome for the reverse.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38388300
Can you post the output of sh crypto ipsec sa command
0
 

Author Comment

by:JBober14
ID: 38388305
i ran the clear crypto ipsec and isakmp commands. Reinitialized the tunnel, ran some ping tests which failed and then ran the ipsec sa output command, results are in the snippet.

crypto ipsec sa output:

interface: outside
    Crypto map tag: dcmap-vpnclient, seq num: 1, local addr: 67.xxx.xxx.194

      local ident (addr/mask/prot/port): (67.xxx.xxx.194/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 70.xxx.xxx.14

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 67.xxx.xxx.194/0, remote crypto endpt.: 70.xxx.xxx.14/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 80B25088
      current inbound spi : 973C45CE

    inbound esp sas:
      spi: 0x973C45CE (2537309646)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 565248, crypto-map: dcmap-vpnclient
         sa timing: remaining key lifetime (sec): 27721
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x80B25088 (2159169672)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 565248, crypto-map: dcmap-vpnclient
         sa timing: remaining key lifetime (sec): 27713
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Open in new window

0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38388309
What about sh crypto isakmp sa?
0
 

Author Comment

by:JBober14
ID: 38388362
sh crypto isakmp sa:

 Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 70.xxx.xxx.14
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Open in new window

0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38388395
Can you post a tracert output from PC in inside LAN to remote LAN?
0
 
LVL 2

Expert Comment

by:Sepist
ID: 38388400
The far end is establishing the tunnel but it's using your ASA's external IP as the remote subnet:


      local ident (addr/mask/prot/port): (67.xxx.xxx.194/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

But your side is performing a NAT exception prior to encryption via this command:

 nat (inside,any) source static inside_network inside_network destination static ECW ECW

so your traffic won't go back in it's current form since the remote side is expecting to see your firewall's external IP as the source, not un-natted internal IP's.

The far end would need to fix that.
0
 

Author Comment

by:JBober14
ID: 38388404
fgasimzade the tracert are just coming back with request timed out.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38388408
The packets are not beeing encrypted on ASA..

 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
0
 
LVL 2

Expert Comment

by:Sepist
ID: 38388434
They aren't being encrypted because they're failing to match the encryption tunnel. If they want two way communication on this dynamic l2l VPN they will need to look into the far end using the wrong encryption domain for the tunnel. If the OP runs "packet-tracer input inside tcp 172.30.1.5 55555 192.168.1.5 80 detailed" it should fail at "VPN encrypt"
0
 

Author Comment

by:JBober14
ID: 38388463
packet-tracer input inside tcp 172.30.1.5 55555 192.168.1.5 80 detailed:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd810b518, priority=1, domain=permit, deny=false
        hits=26222110, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd8116438, priority=500, domain=permit, deny=true
        hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=172.30.1.5, mask=255.255.255.255, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Open in new window

0
 
LVL 2

Expert Comment

by:Sepist
ID: 38388474
Close enough.

Remove this:

nat (inside,any) source static inside_network inside_network destination static ECW ECW

and rerun that command, should get to the VPN portion (although it doesn't fix your problem honestly but I guess it does prove out my theory)
0
 

Author Comment

by:JBober14
ID: 38388512
I removed:

 nat (inside,any) source static inside_network inside_network destination static ECW ECW

then put it back into the firewall and reran the packet tracer. Same issue:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd8116438, priority=500, domain=permit, deny=true
        hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=172.30.1.5, mask=255.255.255.255, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Open in new window

0
 
LVL 2

Expert Comment

by:Sepist
ID: 38388514
Did you run it without the command in there?
0
 

Author Comment

by:JBober14
ID: 38388523
yes i did:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd8116438, priority=500, domain=permit, deny=true
        hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=172.30.1.5, mask=255.255.255.255, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Open in new window

0
 

Author Comment

by:JBober14
ID: 38388525
Sorry about that I forgot to add that snippet the first time around
0
 
LVL 2

Expert Comment

by:Sepist
ID: 38388548
Oh, shoot, your inside interface IP is 172.30.1.5 - I'm retarded.

Try "packet-tracer input inside tcp 172.30.1.10 55555 192.168.1.5 80 detailed"
0
 

Author Comment

by:JBober14
ID: 38388564
Hahaha I thought that didn't look right, but I figured you knew something that I didn't know, hence I'm here.

This is a snippet without the NAT command [nat (inside,any) source static inside_network inside_network destination static ECW ECW]

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd810dd10, priority=0, domain=inspect-ip-options, deny=true
        hits=1632531, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside_network
 nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 172.30.1.10/55555 to 67.xxx.xxx.194/28496
 Forward Flow based lookup yields rule:
 in  id=0xd8d01788, priority=6, domain=nat, deny=false
        hits=1573449, user_data=0xd8be8c60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=172.30.1.0, mask=255.255.255.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd818f860, priority=0, domain=host-limit, deny=false
        hits=1630408, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xd8cd6ce8, priority=70, domain=encrypt, deny=false
        hits=1, user_data=0x10b6184, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=67.xxx.xxx.194, mask=255.255.255.255, port=0
        dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd8cb4118, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=1, user_data=0x10d7e1c, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.1.0, mask=255.255.255.0, port=0
        dst ip/id=67.xxx.xxx.194, mask=255.255.255.255, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd818c700, priority=0, domain=inspect-ip-options, deny=true
        hits=1559349, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1633597, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Open in new window

0
 

Author Comment

by:JBober14
ID: 38388577
This is a snippet with the NAT command [nat (inside,any) source static inside_network inside_network destination static ECW ECW]:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd810dd10, priority=0, domain=inspect-ip-options, deny=true
        hits=1632983, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,any) source static inside_network inside_network destination static ECW ECW
Additional Information:
Static translate 172.30.1.10/55555 to 172.30.1.10/55555
 Forward Flow based lookup yields rule:
 in  id=0xd8d202d0, priority=6, domain=nat, deny=false
        hits=1, user_data=0xd8a6cd30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=172.30.1.0, mask=255.255.255.0, port=0
        dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd818f860, priority=0, domain=host-limit, deny=false
        hits=1630860, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd818c700, priority=0, domain=inspect-ip-options, deny=true
        hits=1559793, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1634049, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Open in new window

0
 
LVL 2

Expert Comment

by:Sepist
ID: 38388588
Okay so the first one, that's what I was looking for. So that would be a working VPN packet if you were NATting, but the way you have it configured it is NAT exempt so that the far end can reach your internal subnet. You have to put that statement I had you remove back in and the far end needs to fix it so that they connect to 172.30.1.x and not your ASA's external IP.

The second one still looks like it is working because of your reverse route injection, it sees a route out for 192.168.1.0 however it doesn't go through VPN encryption because it doesn't match the VPN tunnel that is established (eg: your internal subnet pre-nat mathcing the destination)

Sorry if this is confusing it is a bit difficult to break down.
0
 

Author Comment

by:JBober14
ID: 38388623
Ok I think I follow but everytime I think I get myself in trouble... j/k.

So once I put the NAT exemption back in place the data destined for the 192 SN does not go through the VPN tunnel. Do I need to add a static crypto map back through the tunnel? I thought that is what the dymanic map was doing for me... but as i said earlier when I think I get myself into trouble.
0
 
LVL 2

Expert Comment

by:Sepist
ID: 38388635
Well it really depends on what your end goal is. Does the remote end need to access resources behind your ASA or are you only reaching devices on their end? If it's the former then nothing you can do on the ASA will fix your problem since the far can only reach your ASA's external IP, if it's the second option then just remove the command I had you remove earlier and you should be able to reach their side or at least see one way traffic on the VPN tunnel.
0
 

Author Comment

by:JBober14
ID: 38388649
Sepist I appreciate the patience and the help. If you could elaborate as to why my device on the far end can only reach the outside of my ASA. Or why you think that is happening.

Worst case according to what your telling me I can remove the NAT statement and I should be able to reach the far end device from my network but they will not be able to reach my network... one way vpn traffic. Is that correct?
0
 
LVL 2

Expert Comment

by:Sepist
ID: 38388662
That's correct.

If you do a "show crypto ipsec sa" you will see the answer in the first few lines:

    local ident (addr/mask/prot/port): (67.xxx.xxx.194/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

The remote encryption domain is 192.168.1.0/24 (meaning that is the reachable network over VPN from your side) whereas the local is 67.x.x.x/32 (just the external IP of your firewall)

If they had the correct encryption domain, that should look like this:

    local ident (addr/mask/prot/port): (172.30.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
0
 

Author Comment

by:JBober14
ID: 38388683
So is that an issue on the far end device? I can have a tech setup a team viewer session with me so I can look at the VPN config on that side. Is there anything I should be looking for to allow it to drill into the inside network on my cisco side?
0
 
LVL 2

Expert Comment

by:Sepist
ID: 38388691
I don't know the far end device but in the VPN config when it asks for the remote subnet it should be 172.30.1.0/24 and not your firewall's external IP.
0
 

Author Comment

by:JBober14
ID: 38388696
Well Sepist I will take a look at that... and get back with a response if I can figure anything out. Thanks again but expect a new post soon with my findings
0
 

Author Comment

by:JBober14
ID: 38388733
I did a teamviewer session with the tech on the far side and he did not have the remote network enabled...now the proper subnets are being shown...

The results from the crypto ipsec sa look good but I still cannot pass any traffic... any ideas?

show crypto ipsec sa results:

interface: outside
    Crypto map tag: dcmap-vpnclient, seq num: 1, local addr: 67.xxx.xxx.194

      local ident (addr/mask/prot/port): (172.30.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 70.xxx.xxx.39

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 67.xxx.xxx.194/0, remote crypto endpt.: 70.xxx.xxx.39/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: E18EF6F9
      current inbound spi : 63EBCE65

    inbound esp sas:
      spi: 0x63EBCE65 (1676398181)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 618496, crypto-map: dcmap-vpnclient
         sa timing: remaining key lifetime (sec): 27965
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xE18EF6F9 (3784242937)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 618496, crypto-map: dcmap-vpnclient
         sa timing: remaining key lifetime (sec): 27954
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Open in new window

0
 
LVL 2

Expert Comment

by:Sepist
ID: 38388742
Try "packet-tracer input inside tcp 172.30.1.10 55555 192.168.1.5 80 detailed" so I can see where it's failing.
0
 

Author Comment

by:JBober14
ID: 38388768
I don't see any failures but you may have a more discerning eye

packet-tracer input inside tcp 172.30.1.10 55555 192.168.1.5 80 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd810dd10, priority=0, domain=inspect-ip-options, deny=true
        hits=1641005, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,any) source static inside_network inside_network destination static ECW ECW
Additional Information:
Static translate 172.30.1.10/55555 to 172.30.1.10/55555
 Forward Flow based lookup yields rule:
 in  id=0xd7c2fa30, priority=6, domain=nat, deny=false
        hits=10, user_data=0xd8d6e8b8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=172.30.1.0, mask=255.255.255.0, port=0
        dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd818f860, priority=0, domain=host-limit, deny=false
        hits=1639038, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xd8d58890, priority=70, domain=encrypt, deny=false
        hits=10, user_data=0x116278c, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=172.30.1.0, mask=255.255.255.0, port=0
        dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd8cd6ce8, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=8, user_data=0x1183f84, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.1.0, mask=255.255.255.0, port=0
        dst ip/id=172.30.1.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd818c700, priority=0, domain=inspect-ip-options, deny=true
        hits=1567834, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1642080, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Open in new window

0
 
LVL 2

Expert Comment

by:Sepist
ID: 38388777
Looks good, are you trying to reach the far end from the ASA or from a workstation behind the ASA?
0
 

Author Comment

by:JBober14
ID: 38388780
from a workstation behind the ASA and from a workstation behind the far end.
0
 
LVL 2

Expert Comment

by:Sepist
ID: 38388808
That's interesting, really should be working at this point. Try doing the inverse and make sure the return traffic is passed "packet-tracer input outside tcp 192.168.1.5 80 55555 172.30.1.10 detailed"
0
 

Author Comment

by:JBober14
ID: 38388838
packet-tracer input outside tcp 192.168.1.5 80 172.30.1.10 55555 detailed

&

packet-tracer input outside tcp 192.168.1.5 55555 172.30.1.10 80 detailed

Returned a ipsec spoof error:

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,any) source static inside_network inside_network destination static ECW ECW
Additional Information:
NAT divert to egress interface inside
Untranslate 172.30.1.10/55555 to 172.30.1.10/55555

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd90b9cc0, priority=13, domain=permit, deny=false
        hits=1, user_data=0xd65812e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.1.0, mask=255.255.255.0, port=0
        dst ip/id=172.30.1.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd818c700, priority=0, domain=inspect-ip-options, deny=true
        hits=1570226, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd8cd6ce8, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=11, user_data=0x1183f84, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.1.0, mask=255.255.255.0, port=0
        dst ip/id=172.30.1.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd8110d70, priority=0, domain=host-limit, deny=false
        hits=3638, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,any) source static inside_network inside_network destination static ECW ECW
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xd94f2640, priority=6, domain=nat-reverse, deny=false
        hits=2, user_data=0xd8d6e8b8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.1.0, mask=255.255.255.0, port=0
        dst ip/id=172.30.1.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=inside

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd810dd10, priority=0, domain=inspect-ip-options, deny=true
        hits=1643423, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0xd8d58890, priority=70, domain=encrypt, deny=false
        hits=13, user_data=0x116278c, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=172.30.1.0, mask=255.255.255.0, port=0
        dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected

Open in new window

0
 
LVL 2

Expert Comment

by:Sepist
ID: 38388855
I vaguely recall that being normal since it's an unencrypted test packet that should be encrypted, nothing to worry about. At this point I would say save the config and reload both sides, from this side it should be working, or at the minimum incrementing traffic on the tunnel. I've seen crypto tunnels act up after floundering around the config for a while so maybe it will work properly after a reboot.
0
 

Author Comment

by:JBober14
ID: 38389014
Sepist thanks again. I left the office for the day. I will reboot the devices tomorrow and test again. Again all the help is appreciated
0
 

Author Comment

by:JBober14
ID: 38391122
Ok so I reset the devices on each side and still no go. The tunnel comes up, packet-tracers look good but I cannot send or receive any data.
0
 
LVL 2

Expert Comment

by:Sepist
ID: 38391129
That's interesting. Can you post the current sanitized config, I'll give it a once over to make sure nothing else is missed.
0
 

Author Comment

by:JBober14
ID: 38391195
I'll do that shortly... I have to contend with a customers ecommerce site not accepting credit cards at the moment... Thanks again
0
 

Author Comment

by:JBober14
ID: 38391512
Here is a sanitized config file:

ASA Version 8.3(1)
!
hostname ArgentASA
domain-name argent.local
enable password xxxxx encrypted
passwd xxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.30.1.5 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 67.xxx.xxx.194 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name argent.local
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object service Passive_FTP
 service tcp source range 5010 5030
object network OutsideIP
 host 67.xxx.xxx.195
object network FTP_Server
 host 172.30.1.250
object service FTP
 service tcp source eq ftp
object network vpnpool
 subnet 172.30.2.0 255.255.255.0
object network inside_network
 subnet 172.30.1.0 255.255.255.0
object network ECW
 subnet 192.168.1.0 255.255.255.0
object network ECW_outside
 subnet 70.0.0.0 255.255.255.0
object-group network group-inside-vpnclient
 network-object 172.30.1.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit tcp any object FTP_Server eq ftp
access-list outside_access_in extended permit tcp any object FTP_Server range 5010 5030
access-list outside_access_in extended permit ip 172.30.2.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient any
access-list vpn extended permit ip 172.30.2.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool-vpnclient 172.30.2.10-172.30.2.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static FTP_Server OutsideIP service Passive_FTP Passive_FTP
nat (inside,outside) source static FTP_Server OutsideIP service FTP FTP
nat (inside,any) source static inside_network inside_network destination static vpnpool vpnpool
nat (inside,any) source static inside_network inside_network destination static ECW ECW
!
object network obj_any
 nat (inside,outside) dynamic interface
object network inside_network
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.xxx.xxx.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.30.1.0 255.255.255.0 inside
http 172.30.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set xform-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5 ESP-3DES-MD5
crypto dynamic-map dcmap-vpnclient 1 set reverse-route
crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient
crypto map cmap-vpncient interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 3600
telnet timeout 5
ssh 172.30.1.0 255.255.255.0 inside
ssh 172.30.2.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 96.xxx.xxx.105 source outside
webvpn
group-policy Argent_RA internal
group-policy Argent_RA attributes
 banner value Welcome to Argent's VPN
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec
 password-storage disable
 re-xauth enable
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl-vpnclient
 default-domain value argent.LOCAL
group-policy ECW internal
group-policy ECW attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec
 pfs disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl-vpnclient
 default-domain value argent.LOCAL
username xxxxx password xxxxx encrypted privilege 15
username xxxxx password xxxxx encrypted
tunnel-group DefaultL2LGroup general-attributes
 default-group-policy ECW
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *****
 peer-id-validate nocheck
 isakmp keepalive threshold 25 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 25 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 isakmp keepalive threshold 25 retry 2
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
 address-pool ippool-vpnclient
 default-group-policy Argent_RA
tunnel-group vpnclient ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 25 retry 2
!
class-map ftp-class
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
 class ftp-class
  inspect ftp
!
service-policy global_policy global
prompt hostname context
no compression svc http-comp
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xxxxxxxxxxxx
: end

Open in new window

0
 
LVL 2

Expert Comment

by:Sepist
ID: 38391556
Hmm looks good. Now that you have the correct remote/local encryption domains, try removing the reverse route injection command I referenced earlier and clear the tunnel, see if that fixes it.
0
 

Author Comment

by:JBober14
ID: 38391630
I removed the reverse route... still does not work. packet tracer looks good but the show route no longer shows the 192 SN.

Pings from both sides fail.
0
 
LVL 2

Expert Comment

by:Sepist
ID: 38391653
Wow, okay. Is "show crypto ipsec sa" still showing 0 packets?

Since the packet trace still looks good let's cover some other things. Is this ASA the default route for the inside network (is 172.30.1.10 the Default Gateway of the computer your testing from?)

Set up a capture on the ASA then try connecting to port 80 on the remote end to verify the ASA is receiving the traffic:

capture cap interface inside real-time match tcp 172.30.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80

you should see real-time packets captured when the ASA receives it on the inside interface
0
 

Author Comment

by:JBober14
ID: 38391689
The default gateway for the computer I am using on the ASA side is 172.30.1.5 which is the ASA in question...

sh crypto ipsec sa after a ping test from the ASA side, it shows packets but no response from the far side:

interface: outside
    Crypto map tag: dcmap-vpnclient, seq num: 1, local addr: 67.xxx.xxx.194

      local ident (addr/mask/prot/port): (172.30.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 70.xxx.xxx.6

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 67.xxx.xxx.194/0, remote crypto endpt.: 70.xxx.xxx.6/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 1CF46DA7
      current inbound spi : 39354555

    inbound esp sas:
      spi: 0x39354555 (959792469)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 118784, crypto-map: dcmap-vpnclient
         sa timing: remaining key lifetime (sec): 27269
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x1CF46DA7 (485780903)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 118784, crypto-map: dcmap-vpnclient
         sa timing: remaining key lifetime (sec): 27265
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Open in new window

0
 

Author Comment

by:JBober14
ID: 38391700
results from capture:

Warning: using this option with a slow console connection may
         result in an excessive amount of non-displayed packets
         due to performance limitations.

Use ctrl-c to terminate real-time capture


   1: 12:22:37.886703 802.1Q vlan#1 P0 172.30.1.101.59860 > 192.168.1.1.80: S 2458373893:2458373893(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   2: 12:22:37.891357 802.1Q vlan#1 P0 172.30.1.101.59861 > 192.168.1.1.80: S 4177157730:4177157730(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   3: 12:22:38.138512 802.1Q vlan#1 P0 172.30.1.101.59862 > 192.168.1.1.80: S 1135896526:1135896526(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   4: 12:22:40.880050 802.1Q vlan#1 P0 172.30.1.101.59860 > 192.168.1.1.80: S 2458373893:2458373893(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   5: 12:22:40.880142 802.1Q vlan#1 P0 172.30.1.101.59861 > 192.168.1.1.80: S 4177157730:4177157730(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   6: 12:22:41.138039 802.1Q vlan#1 P0 172.30.1.101.59862 > 192.168.1.1.80: S 1135896526:1135896526(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   7: 12:22:46.883361 802.1Q vlan#1 P0 172.30.1.101.59861 > 192.168.1.1.80: S 4177157730:4177157730(0) win 8192 <mss 1460,nop,nop,sackOK>
   8: 12:22:46.887161 802.1Q vlan#1 P0 172.30.1.101.59860 > 192.168.1.1.80: S 2458373893:2458373893(0) win 8192 <mss 1460,nop,nop,sackOK>
   9: 12:22:47.138405 802.1Q vlan#1 P0 172.30.1.101.59862 > 192.168.1.1.80: S 1135896526:1135896526(0) win 8192 <mss 1460,nop,nop,sackOK>
9 packets shown.
0 packets not shown due to performance limitations.

Open in new window

0
 
LVL 2

Accepted Solution

by:
Sepist earned 2000 total points
ID: 38391780
Okay so you have increased encapsulations (4), so your side is good - you have no decapsulated packets (0) so you're not receiving anything from the other side. The other side is the problem at this point.
0
 

Author Comment

by:JBober14
ID: 38391795
Sepist thank you for the insight. I will look into the issue on the far side to see if I can figure anything out. I'll get back to you with an update shortly.
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month13 days, 13 hours left to enroll

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question