troubleshooting Question

Cisco ASA - L2L VPN setup - Dynamic IP - Static IP - Packet Tracer

Avatar of farroar
farroarFlag for United States of America asked on
VPNCisco
2 Comments1 Solution1513 ViewsLast Modified:
I am trying to configure an L2L VPN between two 5505s running 8.2. I think I have all the settings correct but I am having trouble confirming. I am trying to confirm that this setup will work by using packet tracer. Here is the config of the Dynamic side with the packet tracer output after. I know having the other side's config listed is good too but I know that is correct. It isn't connecting and I've noticed that the packet tracer output drops the packet at encrypt, and the access-list for nonat isn't incrementing but the VPN "interesting traffic" access-list is.

Dynamic IP side:

access-list nonat extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list VPN extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.0.0 255.255.255.0

crypto ipsec transform-set VPNSET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address ASPEN_VPN
crypto map VPNMAP 10 set peer IPofPEER
crypto map VPNMAP 10 set transform-set VPNSET
crypto map VPNMAP interface outside

crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

crypto isakmp nat-traversal 10

tunnel-group IPofPEER type ipsec-l2l
tunnel-group IPofPEER ipsec-attributes
 pre-shared-key *****

Output of show access-list:

access-list nonat; 1 elements; name hash: 0x13e041bf
access-list nonat line 1 extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=0) 0x22d25f22
access-list VPN; 1 elements; name hash: 0x5ff33dc8
access-list VPN line 1 extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=62) 0xe7f8523d

Packet Tracer Output:
packet-tracer input inside icmp 10.10.0.10 8 0 10.1.1.7$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97611f0, priority=0, domain=inspect-ip-options, deny=true
        hits=78459, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9760e68, priority=66, domain=inspect-icmp-error, deny=false
        hits=2431, user_data=0xc9760d50, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 10.10.0.0 255.255.255.0 outside 10.1.1.0 255.255.255.0
    NAT exempt
    translate_hits = 12, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc98fbc38, priority=6, domain=nat-exempt, deny=false
        hits=12, user_data=0xc98001d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=10.1.1.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.10.0.0 255.255.255.0
  match ip inside 10.10.0.0 255.255.255.0 outside any
    dynamic translation to pool 1 (66.31.98.174 [Interface PAT])
    translate_hits = 76372, untranslate_hits = 4227
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97e1cf0, priority=1, domain=nat, deny=false
        hits=77803, user_data=0xc97e1c30, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.10.0.0 255.255.255.0
  match ip inside 10.10.0.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97648b0, priority=1, domain=host, deny=false
        hits=81173, user_data=0xc97bb128, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97ba9c8, priority=0, domain=host-limit, deny=false
        hits=80447, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xc97fdb30, priority=70, domain=encrypt, deny=false
        hits=32, user_data=0x0, cs_id=0xc6b80f50, reverse, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=10.1.1.0, mask=255.255.255.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


Thoughts?
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 2 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros