JBober14
asked on
Cisco ASA 8.3(1) LAN-to-LAN VPN No Packets
I am trying to create a LAN-to-LAN VPN between a Cisco ASA 5505 and another device. The tunnel comes up without error but there is absolutely no communication between the two LANs... absolutely no packets are being seen on either side. Can someone please look at my config for the ASA to see if any problems stick out. The second device in question, at the branch office, is hooked up with a 4G data card through Verizon Wireless.
ASA Inside (172.30.x.x) --> ASA Outside (67.xxx.xxx.xxx) --> [INTERNET] <-- VzW Outside (70.xxx.xxx.xxx) <-- Device II Outside (10.xxx.xxx.xxx) <-- Device II Inside (192.168.xxx.xxx)
ASA Inside (172.30.x.x) --> ASA Outside (67.xxx.xxx.xxx) --> [INTERNET] <-- VzW Outside (70.xxx.xxx.xxx) <-- Device II Outside (10.xxx.xxx.xxx) <-- Device II Inside (192.168.xxx.xxx)
ASA Version 8.3(1)
!
hostname ArgentASA
domain-name argent.local
enable xxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.30.1.5 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 67.xxx.xxx.194 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name argent.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service Passive_FTP
service tcp source range 5010 5030
object network OutsideIP
host 67.152.116.195
object network FTP_Server
host 172.30.1.250
object service FTP
service tcp source eq ftp
object network vpnpool
subnet 172.30.2.0 255.255.255.0
object network inside_network
subnet 172.30.1.0 255.255.255.0
object network ECW
subnet 192.168.1.0 255.255.255.0
object-group network group-inside-vpnclient
network-object 172.30.1.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any object FTP_Server eq ftp
access-list outside_access_in extended permit tcp any object FTP_Server range 5010 5030
access-list outside_access_in extended permit ip 172.30.2.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool-vpnclient 172.30.2.10-172.30.2.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static FTP_Server OutsideIP service Passive_FTP Passive_FTP
nat (inside,outside) source static FTP_Server OutsideIP service FTP FTP
nat (inside,any) source static inside_network inside_network destination static vpnpool vpnpool
nat (inside,any) source static inside_network inside_network destination static ECW ECW
!
object network obj_any
nat (inside,outside) dynamic interface
object network inside_network
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.xxx.xxx.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.30.1.0 255.255.255.0 inside
http 172.30.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set xform-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5 ESP-3DES-MD5
crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient
crypto map cmap-vpncient interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
telnet timeout 5
ssh 172.30.1.0 255.255.255.0 inside
ssh 172.30.2.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 96.xxx.xxx.105 source outside
webvpn
group-policy Argent_RA internal
group-policy Argent_RA attributes
banner value Welcome to Argent's VPN
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec
password-storage disable
re-xauth enable
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl-vpnclient
default-domain value argent.LOCAL
group-policy ECW internal
group-policy ECW attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl-vpnclient
default-domain value argent.LOCAL
username xxxxxx password xxxxxx/ encrypted privilege 15
tunnel-group DefaultL2LGroup general-attributes
default-group-policy ECW
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive threshold 25 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 25 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 25 retry 2
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool ippool-vpnclient
default-group-policy Argent_RA
tunnel-group vpnclient ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 25 retry 2
!
class-map ftp-class
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class ftp-class
inspect ftp
!
service-policy global_policy global
prompt hostname context
no compression svc http-comp
Crypto map tag: dcmap-vpnclient, seq num: 1, local addr: 67.xxx.xxx.194
local ident (addr/mask/prot/port): (67.xxx.xxx.194/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 70.xxx.xxx.14
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 67.xxx.xxx.194/0, remote crypto endpt.: 70.xxx.xxx.14/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 80B2506C
current inbound spi : F1EEB24E
inbound esp sas:
spi: 0xF1EEB24E (4058952270)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 512000, crypto-map: dcmap-vpnclient
sa timing: remaining key lifetime (sec): 27301
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x80B2506C (2159169644)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 512000, crypto-map: dcmap-vpnclient
sa timing: remaining key lifetime (sec): 27177
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
What is the second device? Is it another ASA 5505?
ASKER
The other device is an ECW, a new product made by Ericsson. I am working with them on the issue but I figured if I could correct it with some help from experts-exchange that would be great.
What is your default gateways on both sides? Is it ASA and Ericsson device respectively?
This is a dynamic to static Lan2Lan it looks like, so your side will need to have reverse route injection configured otherwise the remote subnet won't exist in your ASA's routing table:
"crypto dynamic-map dcmap-vpnclient 1 set reverse-route"
The far end not being able to reach you is most likely a natting issue but I couldn't confirm that just from seeing your side of the tunnel.
"crypto dynamic-map dcmap-vpnclient 1 set reverse-route"
The far end not being able to reach you is most likely a natting issue but I couldn't confirm that just from seeing your side of the tunnel.
ASKER
ASA and Ericsson devices respectively. The Ericsson devices is using a 4G LTE card for connectivity so the IP addressing gets a little weird
ASA Inside: 172.30.1.5
ASA Outside GW: 67.xxx.xxx.193
ASA Outside IP (internet): 67.xxx.xxx.194
Ericsson Inside: 192.168.1.1
Ericsson Outside GW: 10.xxx.xxx.125
Ericsson Outside IP: 10.xxx.xxx.126
Internet IP Address: 70.xxx.xxx.14
ASA Inside: 172.30.1.5
ASA Outside GW: 67.xxx.xxx.193
ASA Outside IP (internet): 67.xxx.xxx.194
Ericsson Inside: 192.168.1.1
Ericsson Outside GW: 10.xxx.xxx.125
Ericsson Outside IP: 10.xxx.xxx.126
Internet IP Address: 70.xxx.xxx.14
It is a routing issue then since you have 0 in you encapsulated packets. Try Sepists suggestion
The 4G LTE card will not always have the same IP. You need to setup an EZ VPN connection for the Ericsson device. Basically, the ASA must be a responder and the Ericsson the initiator.
Try using the EZ VPN wizard and I will bet you will have little or no difficulty. You will define the settings and the login credentials for the Ericsson and then on the Ericsson, create a VPN connection using whatever settings you set in the wizard.
I have done this with foreign systems before. it works great.
Try using the EZ VPN wizard and I will bet you will have little or no difficulty. You will define the settings and the login credentials for the Ericsson and then on the Ericsson, create a VPN connection using whatever settings you set in the wizard.
I have done this with foreign systems before. it works great.
ASKER
I added "crypto dynamic-map dcmap-vpnclient 1 set reverse-route"
Still no love, I forgot about reverse route injection... and I cannot get any logs off the Ericsson device as of right now.
Still no love, I forgot about reverse route injection... and I cannot get any logs off the Ericsson device as of right now.
If you do "show route" on the ASA now do you see a route for the remote subnet? Did you clear the crypto tunnel and make it rebuild itself? If the route is in the table try pinging across and see if you see one way traffic on the show crypto ipsec sa command
So if you check the logs on the ASA, does anything show when trying to set up the VPN?
reminder: Unless you have some specialized agreement with your 4G LTE ISP, anything you do will be worth nothing when the ISP changes the IP of the LTE card. I find they do this randomly and frequently enough that you will most likely run into within a short period of time.
If you use the dynamic approach whereby the Ericsson initiates the connection, you will not have to worry about the routing problems.
If you use the dynamic approach whereby the Ericsson initiates the connection, you will not have to worry about the routing problems.
ASKER
To Heritage02Rider: The connection will be initiated by the Ericsson device, due to the dynamic nature of the IP on that side I thought about the same issues.
To Sepist: I can see the 192 SN in place
To erniebeek: Output from debug crypto isakmp and ipsec show phase 1 and 2 being completed, and static route for L2L peer coming in on a dynamic map. address: 192.168.1.0 mask: 255.255.255.0
--Still cannot ping back to the 192 SN from the 172 side the same outcome for the reverse.
To Sepist: I can see the 192 SN in place
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 67.xxx.xxx.193 to network 0.0.0.0
C 172.30.1.0 255.255.255.0 is directly connected, inside
C 67.xxx.xxx.192 255.255.255.248 is directly connected, outside
S 192.168.1.0 255.255.255.0 [1/0] via 67.xxx.xxx.193, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 67.xxx.xxx.193, outside
To erniebeek: Output from debug crypto isakmp and ipsec show phase 1 and 2 being completed, and static route for L2L peer coming in on a dynamic map. address: 192.168.1.0 mask: 255.255.255.0
--Still cannot ping back to the 192 SN from the 172 side the same outcome for the reverse.
Can you post the output of sh crypto ipsec sa command
ASKER
i ran the clear crypto ipsec and isakmp commands. Reinitialized the tunnel, ran some ping tests which failed and then ran the ipsec sa output command, results are in the snippet.
crypto ipsec sa output:
crypto ipsec sa output:
interface: outside
Crypto map tag: dcmap-vpnclient, seq num: 1, local addr: 67.xxx.xxx.194
local ident (addr/mask/prot/port): (67.xxx.xxx.194/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 70.xxx.xxx.14
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 67.xxx.xxx.194/0, remote crypto endpt.: 70.xxx.xxx.14/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 80B25088
current inbound spi : 973C45CE
inbound esp sas:
spi: 0x973C45CE (2537309646)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 565248, crypto-map: dcmap-vpnclient
sa timing: remaining key lifetime (sec): 27721
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x80B25088 (2159169672)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 565248, crypto-map: dcmap-vpnclient
sa timing: remaining key lifetime (sec): 27713
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
What about sh crypto isakmp sa?
ASKER
sh crypto isakmp sa:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 70.xxx.xxx.14
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Can you post a tracert output from PC in inside LAN to remote LAN?
The far end is establishing the tunnel but it's using your ASA's external IP as the remote subnet:
local ident (addr/mask/prot/port): (67.xxx.xxx.194/255.255.25 5.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0 /0/0)
But your side is performing a NAT exception prior to encryption via this command:
nat (inside,any) source static inside_network inside_network destination static ECW ECW
so your traffic won't go back in it's current form since the remote side is expecting to see your firewall's external IP as the source, not un-natted internal IP's.
The far end would need to fix that.
local ident (addr/mask/prot/port): (67.xxx.xxx.194/255.255.25
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
But your side is performing a NAT exception prior to encryption via this command:
nat (inside,any) source static inside_network inside_network destination static ECW ECW
so your traffic won't go back in it's current form since the remote side is expecting to see your firewall's external IP as the source, not un-natted internal IP's.
The far end would need to fix that.
ASKER
fgasimzade the tracert are just coming back with request timed out.
The packets are not beeing encrypted on ASA..
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
They aren't being encrypted because they're failing to match the encryption tunnel. If they want two way communication on this dynamic l2l VPN they will need to look into the far end using the wrong encryption domain for the tunnel. If the OP runs "packet-tracer input inside tcp 172.30.1.5 55555 192.168.1.5 80 detailed" it should fail at "VPN encrypt"
ASKER
packet-tracer input inside tcp 172.30.1.5 55555 192.168.1.5 80 detailed:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd810b518, priority=1, domain=permit, deny=false
hits=26222110, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8116438, priority=500, domain=permit, deny=true
hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.30.1.5, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Close enough.
Remove this:
nat (inside,any) source static inside_network inside_network destination static ECW ECW
and rerun that command, should get to the VPN portion (although it doesn't fix your problem honestly but I guess it does prove out my theory)
Remove this:
nat (inside,any) source static inside_network inside_network destination static ECW ECW
and rerun that command, should get to the VPN portion (although it doesn't fix your problem honestly but I guess it does prove out my theory)
ASKER
I removed:
nat (inside,any) source static inside_network inside_network destination static ECW ECW
then put it back into the firewall and reran the packet tracer. Same issue:
nat (inside,any) source static inside_network inside_network destination static ECW ECW
then put it back into the firewall and reran the packet tracer. Same issue:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8116438, priority=500, domain=permit, deny=true
hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.30.1.5, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Did you run it without the command in there?
ASKER
yes i did:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8116438, priority=500, domain=permit, deny=true
hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.30.1.5, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASKER
Sorry about that I forgot to add that snippet the first time around
Oh, shoot, your inside interface IP is 172.30.1.5 - I'm retarded.
Try "packet-tracer input inside tcp 172.30.1.10 55555 192.168.1.5 80 detailed"
Try "packet-tracer input inside tcp 172.30.1.10 55555 192.168.1.5 80 detailed"
ASKER
Hahaha I thought that didn't look right, but I figured you knew something that I didn't know, hence I'm here.
This is a snippet without the NAT command [nat (inside,any) source static inside_network inside_network destination static ECW ECW]
This is a snippet without the NAT command [nat (inside,any) source static inside_network inside_network destination static ECW ECW]
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd810dd10, priority=0, domain=inspect-ip-options, deny=true
hits=1632531, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside_network
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 172.30.1.10/55555 to 67.xxx.xxx.194/28496
Forward Flow based lookup yields rule:
in id=0xd8d01788, priority=6, domain=nat, deny=false
hits=1573449, user_data=0xd8be8c60, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.30.1.0, mask=255.255.255.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd818f860, priority=0, domain=host-limit, deny=false
hits=1630408, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd8cd6ce8, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x10b6184, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=67.xxx.xxx.194, mask=255.255.255.255, port=0
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd8cb4118, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=1, user_data=0x10d7e1c, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.1.0, mask=255.255.255.0, port=0
dst ip/id=67.xxx.xxx.194, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd818c700, priority=0, domain=inspect-ip-options, deny=true
hits=1559349, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1633597, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ASKER
This is a snippet with the NAT command [nat (inside,any) source static inside_network inside_network destination static ECW ECW]:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd810dd10, priority=0, domain=inspect-ip-options, deny=true
hits=1632983, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,any) source static inside_network inside_network destination static ECW ECW
Additional Information:
Static translate 172.30.1.10/55555 to 172.30.1.10/55555
Forward Flow based lookup yields rule:
in id=0xd8d202d0, priority=6, domain=nat, deny=false
hits=1, user_data=0xd8a6cd30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.30.1.0, mask=255.255.255.0, port=0
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd818f860, priority=0, domain=host-limit, deny=false
hits=1630860, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd818c700, priority=0, domain=inspect-ip-options, deny=true
hits=1559793, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1634049, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Okay so the first one, that's what I was looking for. So that would be a working VPN packet if you were NATting, but the way you have it configured it is NAT exempt so that the far end can reach your internal subnet. You have to put that statement I had you remove back in and the far end needs to fix it so that they connect to 172.30.1.x and not your ASA's external IP.
The second one still looks like it is working because of your reverse route injection, it sees a route out for 192.168.1.0 however it doesn't go through VPN encryption because it doesn't match the VPN tunnel that is established (eg: your internal subnet pre-nat mathcing the destination)
Sorry if this is confusing it is a bit difficult to break down.
The second one still looks like it is working because of your reverse route injection, it sees a route out for 192.168.1.0 however it doesn't go through VPN encryption because it doesn't match the VPN tunnel that is established (eg: your internal subnet pre-nat mathcing the destination)
Sorry if this is confusing it is a bit difficult to break down.
ASKER
Ok I think I follow but everytime I think I get myself in trouble... j/k.
So once I put the NAT exemption back in place the data destined for the 192 SN does not go through the VPN tunnel. Do I need to add a static crypto map back through the tunnel? I thought that is what the dymanic map was doing for me... but as i said earlier when I think I get myself into trouble.
So once I put the NAT exemption back in place the data destined for the 192 SN does not go through the VPN tunnel. Do I need to add a static crypto map back through the tunnel? I thought that is what the dymanic map was doing for me... but as i said earlier when I think I get myself into trouble.
Well it really depends on what your end goal is. Does the remote end need to access resources behind your ASA or are you only reaching devices on their end? If it's the former then nothing you can do on the ASA will fix your problem since the far can only reach your ASA's external IP, if it's the second option then just remove the command I had you remove earlier and you should be able to reach their side or at least see one way traffic on the VPN tunnel.
ASKER
Sepist I appreciate the patience and the help. If you could elaborate as to why my device on the far end can only reach the outside of my ASA. Or why you think that is happening.
Worst case according to what your telling me I can remove the NAT statement and I should be able to reach the far end device from my network but they will not be able to reach my network... one way vpn traffic. Is that correct?
Worst case according to what your telling me I can remove the NAT statement and I should be able to reach the far end device from my network but they will not be able to reach my network... one way vpn traffic. Is that correct?
That's correct.
If you do a "show crypto ipsec sa" you will see the answer in the first few lines:
local ident (addr/mask/prot/port): (67.xxx.xxx.194/255.255.25 5.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0 /0/0)
The remote encryption domain is 192.168.1.0/24 (meaning that is the reachable network over VPN from your side) whereas the local is 67.x.x.x/32 (just the external IP of your firewall)
If they had the correct encryption domain, that should look like this:
local ident (addr/mask/prot/port): (172.30.1.0/255.255.255.0/ 0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0 /0/0)
If you do a "show crypto ipsec sa" you will see the answer in the first few lines:
local ident (addr/mask/prot/port): (67.xxx.xxx.194/255.255.25
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
The remote encryption domain is 192.168.1.0/24 (meaning that is the reachable network over VPN from your side) whereas the local is 67.x.x.x/32 (just the external IP of your firewall)
If they had the correct encryption domain, that should look like this:
local ident (addr/mask/prot/port): (172.30.1.0/255.255.255.0/
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
ASKER
So is that an issue on the far end device? I can have a tech setup a team viewer session with me so I can look at the VPN config on that side. Is there anything I should be looking for to allow it to drill into the inside network on my cisco side?
I don't know the far end device but in the VPN config when it asks for the remote subnet it should be 172.30.1.0/24 and not your firewall's external IP.
ASKER
Well Sepist I will take a look at that... and get back with a response if I can figure anything out. Thanks again but expect a new post soon with my findings
ASKER
I did a teamviewer session with the tech on the far side and he did not have the remote network enabled...now the proper subnets are being shown...
The results from the crypto ipsec sa look good but I still cannot pass any traffic... any ideas?
show crypto ipsec sa results:
The results from the crypto ipsec sa look good but I still cannot pass any traffic... any ideas?
show crypto ipsec sa results:
interface: outside
Crypto map tag: dcmap-vpnclient, seq num: 1, local addr: 67.xxx.xxx.194
local ident (addr/mask/prot/port): (172.30.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 70.xxx.xxx.39
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 67.xxx.xxx.194/0, remote crypto endpt.: 70.xxx.xxx.39/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E18EF6F9
current inbound spi : 63EBCE65
inbound esp sas:
spi: 0x63EBCE65 (1676398181)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 618496, crypto-map: dcmap-vpnclient
sa timing: remaining key lifetime (sec): 27965
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xE18EF6F9 (3784242937)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 618496, crypto-map: dcmap-vpnclient
sa timing: remaining key lifetime (sec): 27954
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Try "packet-tracer input inside tcp 172.30.1.10 55555 192.168.1.5 80 detailed" so I can see where it's failing.
ASKER
I don't see any failures but you may have a more discerning eye
packet-tracer input inside tcp 172.30.1.10 55555 192.168.1.5 80 detailed
packet-tracer input inside tcp 172.30.1.10 55555 192.168.1.5 80 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd810dd10, priority=0, domain=inspect-ip-options, deny=true
hits=1641005, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,any) source static inside_network inside_network destination static ECW ECW
Additional Information:
Static translate 172.30.1.10/55555 to 172.30.1.10/55555
Forward Flow based lookup yields rule:
in id=0xd7c2fa30, priority=6, domain=nat, deny=false
hits=10, user_data=0xd8d6e8b8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.30.1.0, mask=255.255.255.0, port=0
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd818f860, priority=0, domain=host-limit, deny=false
hits=1639038, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd8d58890, priority=70, domain=encrypt, deny=false
hits=10, user_data=0x116278c, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.30.1.0, mask=255.255.255.0, port=0
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd8cd6ce8, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=8, user_data=0x1183f84, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.1.0, mask=255.255.255.0, port=0
dst ip/id=172.30.1.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd818c700, priority=0, domain=inspect-ip-options, deny=true
hits=1567834, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1642080, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Looks good, are you trying to reach the far end from the ASA or from a workstation behind the ASA?
ASKER
from a workstation behind the ASA and from a workstation behind the far end.
That's interesting, really should be working at this point. Try doing the inverse and make sure the return traffic is passed "packet-tracer input outside tcp 192.168.1.5 80 55555 172.30.1.10 detailed"
ASKER
packet-tracer input outside tcp 192.168.1.5 80 172.30.1.10 55555 detailed
&
packet-tracer input outside tcp 192.168.1.5 55555 172.30.1.10 80 detailed
Returned a ipsec spoof error:
&
packet-tracer input outside tcp 192.168.1.5 55555 172.30.1.10 80 detailed
Returned a ipsec spoof error:
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,any) source static inside_network inside_network destination static ECW ECW
Additional Information:
NAT divert to egress interface inside
Untranslate 172.30.1.10/55555 to 172.30.1.10/55555
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd90b9cc0, priority=13, domain=permit, deny=false
hits=1, user_data=0xd65812e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.1.0, mask=255.255.255.0, port=0
dst ip/id=172.30.1.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd818c700, priority=0, domain=inspect-ip-options, deny=true
hits=1570226, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8cd6ce8, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=11, user_data=0x1183f84, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.1.0, mask=255.255.255.0, port=0
dst ip/id=172.30.1.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8110d70, priority=0, domain=host-limit, deny=false
hits=3638, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,any) source static inside_network inside_network destination static ECW ECW
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd94f2640, priority=6, domain=nat-reverse, deny=false
hits=2, user_data=0xd8d6e8b8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.1.0, mask=255.255.255.0, port=0
dst ip/id=172.30.1.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=inside
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd810dd10, priority=0, domain=inspect-ip-options, deny=true
hits=1643423, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xd8d58890, priority=70, domain=encrypt, deny=false
hits=13, user_data=0x116278c, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.30.1.0, mask=255.255.255.0, port=0
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected
I vaguely recall that being normal since it's an unencrypted test packet that should be encrypted, nothing to worry about. At this point I would say save the config and reload both sides, from this side it should be working, or at the minimum incrementing traffic on the tunnel. I've seen crypto tunnels act up after floundering around the config for a while so maybe it will work properly after a reboot.
ASKER
Sepist thanks again. I left the office for the day. I will reboot the devices tomorrow and test again. Again all the help is appreciated
ASKER
Ok so I reset the devices on each side and still no go. The tunnel comes up, packet-tracers look good but I cannot send or receive any data.
That's interesting. Can you post the current sanitized config, I'll give it a once over to make sure nothing else is missed.
ASKER
I'll do that shortly... I have to contend with a customers ecommerce site not accepting credit cards at the moment... Thanks again
ASKER
Here is a sanitized config file:
ASA Version 8.3(1)
!
hostname ArgentASA
domain-name argent.local
enable password xxxxx encrypted
passwd xxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.30.1.5 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 67.xxx.xxx.194 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name argent.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service Passive_FTP
service tcp source range 5010 5030
object network OutsideIP
host 67.xxx.xxx.195
object network FTP_Server
host 172.30.1.250
object service FTP
service tcp source eq ftp
object network vpnpool
subnet 172.30.2.0 255.255.255.0
object network inside_network
subnet 172.30.1.0 255.255.255.0
object network ECW
subnet 192.168.1.0 255.255.255.0
object network ECW_outside
subnet 70.0.0.0 255.255.255.0
object-group network group-inside-vpnclient
network-object 172.30.1.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any object FTP_Server eq ftp
access-list outside_access_in extended permit tcp any object FTP_Server range 5010 5030
access-list outside_access_in extended permit ip 172.30.2.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient any
access-list vpn extended permit ip 172.30.2.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool-vpnclient 172.30.2.10-172.30.2.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static FTP_Server OutsideIP service Passive_FTP Passive_FTP
nat (inside,outside) source static FTP_Server OutsideIP service FTP FTP
nat (inside,any) source static inside_network inside_network destination static vpnpool vpnpool
nat (inside,any) source static inside_network inside_network destination static ECW ECW
!
object network obj_any
nat (inside,outside) dynamic interface
object network inside_network
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.xxx.xxx.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.30.1.0 255.255.255.0 inside
http 172.30.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set xform-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5 ESP-3DES-MD5
crypto dynamic-map dcmap-vpnclient 1 set reverse-route
crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient
crypto map cmap-vpncient interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
telnet timeout 5
ssh 172.30.1.0 255.255.255.0 inside
ssh 172.30.2.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 96.xxx.xxx.105 source outside
webvpn
group-policy Argent_RA internal
group-policy Argent_RA attributes
banner value Welcome to Argent's VPN
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec
password-storage disable
re-xauth enable
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl-vpnclient
default-domain value argent.LOCAL
group-policy ECW internal
group-policy ECW attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl-vpnclient
default-domain value argent.LOCAL
username xxxxx password xxxxx encrypted privilege 15
username xxxxx password xxxxx encrypted
tunnel-group DefaultL2LGroup general-attributes
default-group-policy ECW
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive threshold 25 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 25 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 25 retry 2
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool ippool-vpnclient
default-group-policy Argent_RA
tunnel-group vpnclient ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 25 retry 2
!
class-map ftp-class
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class ftp-class
inspect ftp
!
service-policy global_policy global
prompt hostname context
no compression svc http-comp
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xxxxxxxxxxxx
: end
Hmm looks good. Now that you have the correct remote/local encryption domains, try removing the reverse route injection command I referenced earlier and clear the tunnel, see if that fixes it.
ASKER
I removed the reverse route... still does not work. packet tracer looks good but the show route no longer shows the 192 SN.
Pings from both sides fail.
Pings from both sides fail.
Wow, okay. Is "show crypto ipsec sa" still showing 0 packets?
Since the packet trace still looks good let's cover some other things. Is this ASA the default route for the inside network (is 172.30.1.10 the Default Gateway of the computer your testing from?)
Set up a capture on the ASA then try connecting to port 80 on the remote end to verify the ASA is receiving the traffic:
capture cap interface inside real-time match tcp 172.30.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80
you should see real-time packets captured when the ASA receives it on the inside interface
Since the packet trace still looks good let's cover some other things. Is this ASA the default route for the inside network (is 172.30.1.10 the Default Gateway of the computer your testing from?)
Set up a capture on the ASA then try connecting to port 80 on the remote end to verify the ASA is receiving the traffic:
capture cap interface inside real-time match tcp 172.30.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80
you should see real-time packets captured when the ASA receives it on the inside interface
ASKER
The default gateway for the computer I am using on the ASA side is 172.30.1.5 which is the ASA in question...
sh crypto ipsec sa after a ping test from the ASA side, it shows packets but no response from the far side:
sh crypto ipsec sa after a ping test from the ASA side, it shows packets but no response from the far side:
interface: outside
Crypto map tag: dcmap-vpnclient, seq num: 1, local addr: 67.xxx.xxx.194
local ident (addr/mask/prot/port): (172.30.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 70.xxx.xxx.6
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 67.xxx.xxx.194/0, remote crypto endpt.: 70.xxx.xxx.6/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 1CF46DA7
current inbound spi : 39354555
inbound esp sas:
spi: 0x39354555 (959792469)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 118784, crypto-map: dcmap-vpnclient
sa timing: remaining key lifetime (sec): 27269
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x1CF46DA7 (485780903)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 118784, crypto-map: dcmap-vpnclient
sa timing: remaining key lifetime (sec): 27265
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASKER
results from capture:
Warning: using this option with a slow console connection may
result in an excessive amount of non-displayed packets
due to performance limitations.
Use ctrl-c to terminate real-time capture
1: 12:22:37.886703 802.1Q vlan#1 P0 172.30.1.101.59860 > 192.168.1.1.80: S 2458373893:2458373893(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
2: 12:22:37.891357 802.1Q vlan#1 P0 172.30.1.101.59861 > 192.168.1.1.80: S 4177157730:4177157730(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
3: 12:22:38.138512 802.1Q vlan#1 P0 172.30.1.101.59862 > 192.168.1.1.80: S 1135896526:1135896526(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
4: 12:22:40.880050 802.1Q vlan#1 P0 172.30.1.101.59860 > 192.168.1.1.80: S 2458373893:2458373893(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
5: 12:22:40.880142 802.1Q vlan#1 P0 172.30.1.101.59861 > 192.168.1.1.80: S 4177157730:4177157730(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
6: 12:22:41.138039 802.1Q vlan#1 P0 172.30.1.101.59862 > 192.168.1.1.80: S 1135896526:1135896526(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
7: 12:22:46.883361 802.1Q vlan#1 P0 172.30.1.101.59861 > 192.168.1.1.80: S 4177157730:4177157730(0) win 8192 <mss 1460,nop,nop,sackOK>
8: 12:22:46.887161 802.1Q vlan#1 P0 172.30.1.101.59860 > 192.168.1.1.80: S 2458373893:2458373893(0) win 8192 <mss 1460,nop,nop,sackOK>
9: 12:22:47.138405 802.1Q vlan#1 P0 172.30.1.101.59862 > 192.168.1.1.80: S 1135896526:1135896526(0) win 8192 <mss 1460,nop,nop,sackOK>
9 packets shown.
0 packets not shown due to performance limitations.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sepist thank you for the insight. I will look into the issue on the far side to see if I can figure anything out. I'll get back to you with an update shortly.