Start Free TrialLog in
Avatar of farroar
farroarFlag for United States of America

asked on 

Cisco ASA - L2L VPN setup - Dynamic IP - Static IP - Packet Tracer

I am trying to configure an L2L VPN between two 5505s running 8.2. I think I have all the settings correct but I am having trouble confirming. I am trying to confirm that this setup will work by using packet tracer. Here is the config of the Dynamic side with the packet tracer output after. I know having the other side's config listed is good too but I know that is correct. It isn't connecting and I've noticed that the packet tracer output drops the packet at encrypt, and the access-list for nonat isn't incrementing but the VPN "interesting traffic" access-list is.

Dynamic IP side:

access-list nonat extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list VPN extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.0.0 255.255.255.0

crypto ipsec transform-set VPNSET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address ASPEN_VPN
crypto map VPNMAP 10 set peer IPofPEER
crypto map VPNMAP 10 set transform-set VPNSET
crypto map VPNMAP interface outside

crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

crypto isakmp nat-traversal 10

tunnel-group IPofPEER type ipsec-l2l
tunnel-group IPofPEER ipsec-attributes
 pre-shared-key *****

Output of show access-list:

access-list nonat; 1 elements; name hash: 0x13e041bf
access-list nonat line 1 extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=0) 0x22d25f22
access-list VPN; 1 elements; name hash: 0x5ff33dc8
access-list VPN line 1 extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=62) 0xe7f8523d

Packet Tracer Output:
packet-tracer input inside icmp 10.10.0.10 8 0 10.1.1.7$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97611f0, priority=0, domain=inspect-ip-options, deny=true
        hits=78459, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9760e68, priority=66, domain=inspect-icmp-error, deny=false
        hits=2431, user_data=0xc9760d50, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 10.10.0.0 255.255.255.0 outside 10.1.1.0 255.255.255.0
    NAT exempt
    translate_hits = 12, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc98fbc38, priority=6, domain=nat-exempt, deny=false
        hits=12, user_data=0xc98001d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=10.1.1.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.10.0.0 255.255.255.0
  match ip inside 10.10.0.0 255.255.255.0 outside any
    dynamic translation to pool 1 (66.31.98.174 [Interface PAT])
    translate_hits = 76372, untranslate_hits = 4227
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97e1cf0, priority=1, domain=nat, deny=false
        hits=77803, user_data=0xc97e1c30, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.10.0.0 255.255.255.0
  match ip inside 10.10.0.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97648b0, priority=1, domain=host, deny=false
        hits=81173, user_data=0xc97bb128, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97ba9c8, priority=0, domain=host-limit, deny=false
        hits=80447, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xc97fdb30, priority=70, domain=encrypt, deny=false
        hits=32, user_data=0x0, cs_id=0xc6b80f50, reverse, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=10.1.1.0, mask=255.255.255.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


Thoughts?
CiscoVPN
Avatar of undefined
Last Comment
farroar
ASKER CERTIFIED SOLUTION
Avatar of anoopkmr
anoopkmr
Flag of United States of America image
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of farroar
farroar
Flag of United States of America image

ASKER

Seems the type error comment pointed me in the right direction. I have it setup as a static currently but will be converting it to dynamic once the static side has some configuration changes made to it.

Thanks.
Cisco
Cisco

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts

  • "Invaluable tool for our organization"

    Josh Regalski

  • "Your help has saved me hundreds of hours of internet surfing."

    @fblack61

  • "Just a dang good service!"

    @golferski

  • "Worth every penny."

    Steve Hougom

  • "It’s been a life saver."

    Maria Halt

  • "Best support site I’ve seen!"

    Bob Schneider

  • "I would be lost without them."

    @fblack61

  • "Saved my job multiple times."

    Walt Forbes

  • "I love this site."

    Maria Duwe

  • "Friendly respectful help."

    Andrew Kowtalo

  • "Such top-notch experts."

    @magento

  • "The best money I have ever spent."

    @rwheeler23

  • "Beyond any comprehensible value"

    George Morris

  • "Invaluable tool for our organization"

    Josh Regalski

Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo
© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent