Avatar of farroar
farroarFlag for United States of America asked on

Cisco ASA - L2L VPN setup - Dynamic IP - Static IP - Packet Tracer

I am trying to configure an L2L VPN between two 5505s running 8.2. I think I have all the settings correct but I am having trouble confirming. I am trying to confirm that this setup will work by using packet tracer. Here is the config of the Dynamic side with the packet tracer output after. I know having the other side's config listed is good too but I know that is correct. It isn't connecting and I've noticed that the packet tracer output drops the packet at encrypt, and the access-list for nonat isn't incrementing but the VPN "interesting traffic" access-list is.

Dynamic IP side:

access-list nonat extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list VPN extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.0.0 255.255.255.0

crypto ipsec transform-set VPNSET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address ASPEN_VPN
crypto map VPNMAP 10 set peer IPofPEER
crypto map VPNMAP 10 set transform-set VPNSET
crypto map VPNMAP interface outside

crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

crypto isakmp nat-traversal 10

tunnel-group IPofPEER type ipsec-l2l
tunnel-group IPofPEER ipsec-attributes
 pre-shared-key *****

Output of show access-list:

access-list nonat; 1 elements; name hash: 0x13e041bf
access-list nonat line 1 extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=0) 0x22d25f22
access-list VPN; 1 elements; name hash: 0x5ff33dc8
access-list VPN line 1 extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=62) 0xe7f8523d

Packet Tracer Output:
packet-tracer input inside icmp 10.10.0.10 8 0 10.1.1.7$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97611f0, priority=0, domain=inspect-ip-options, deny=true
        hits=78459, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9760e68, priority=66, domain=inspect-icmp-error, deny=false
        hits=2431, user_data=0xc9760d50, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 10.10.0.0 255.255.255.0 outside 10.1.1.0 255.255.255.0
    NAT exempt
    translate_hits = 12, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc98fbc38, priority=6, domain=nat-exempt, deny=false
        hits=12, user_data=0xc98001d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=10.1.1.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.10.0.0 255.255.255.0
  match ip inside 10.10.0.0 255.255.255.0 outside any
    dynamic translation to pool 1 (66.31.98.174 [Interface PAT])
    translate_hits = 76372, untranslate_hits = 4227
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97e1cf0, priority=1, domain=nat, deny=false
        hits=77803, user_data=0xc97e1c30, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.10.0.0 255.255.255.0
  match ip inside 10.10.0.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97648b0, priority=1, domain=host, deny=false
        hits=81173, user_data=0xc97bb128, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97ba9c8, priority=0, domain=host-limit, deny=false
        hits=80447, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xc97fdb30, priority=70, domain=encrypt, deny=false
        hits=32, user_data=0x0, cs_id=0xc6b80f50, reverse, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=10.1.1.0, mask=255.255.255.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


Thoughts?
CiscoVPN

Avatar of undefined
Last Comment
farroar

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
anoopkmr

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
farroar

Seems the type error comment pointed me in the right direction. I have it setup as a static currently but will be converting it to dynamic once the static side has some configuration changes made to it.

Thanks.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes