• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 81
  • Last Modified:

ACL Problems with L2L VPN on Cisco ASA (8.3 and 8.4)

I have two ASAs:
MAIN BUILDING: ASA 5505 v. 8.3
REMOTE BUILDING: ASA 5505 v. 8.4

My tunnel is up according to my debug output--no errors. However, I'm sure I have an ACL or NAT issue.  Here is the pertinent config info.

MAIN BUILDING Config (8.3)
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.3.1 255.255.252.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 12.xxx.xxx.xxx 255.255.255.240

object-group network MAINBLDG
 network-object 172.16.0.0 255.255.252.0
object-group network REMOTEBLDG
 network-object 172.16.128.0 255.255.255.0

access-list 101 extended permit ip 172.16.0.0 255.255.252.0 172.16.128.0 255.255.255.0
access-list REMOTEL2L extended permit ip object-group MAINBLDG object-group REMOTEBLDG

nat (inside) 0 access-list 101

crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 65535 set transform-set TRANSFORM
crypto dynamic-map dynmap 65535 set reverse-route
crypto map CRMAP 10 match address REMOTEL2L
crypto map CRMAP 10 set peer 74.Xx.xx.xx [masqueraded by Admin]
crypto map CRMAP 10 set transform-set TRANSFORM
crypto map CRMAP 10 set reverse-route
crypto map CRMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 864000

tunnel-group 74.XXX.XXX.XXX type ipsec-l2l
tunnel-group 74.XXX.XXX.XXX ipsec-attributes
pre-shared-key *****

Open in new window


REMOTE BUILDING CONFIG (8.4)
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.128.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.xxx.xxx.xxx 255.255.255.252

object network REMOTEBLDG
 subnet 172.16.128.0 255.255.255.0
object network MAINBLDG
 subnet 172.16.0.0 255.255.252.0
object network INSIDENET
 subnet 172.16.128.0 255.255.255.0

access-list REMOTEL2L extended permit ip object REMOTEBLDG object MAINBLDG

nat (inside,any) source static REMOTEBLDG REMOTEBLDG destination static MAINBLDG MAINBLDG no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic INSIDENET interface

crypto ipsec ikev1 transform-set TRANSFORM esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 65535 set ikev1 transform-set TRANSFORM
crypto dynamic-map dynmap 65535 set reverse-route
crypto map CRMAP 10 match address LIBRARY
crypto map CRMAP 10 set peer 12.xxx.xxx.xxx
crypto map CRMAP 10 set ikev1 transform-set TRANSFORM
crypto map CRMAP 10 set reverse-route
crypto map CRMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRMAP interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

tunnel-group 12.xxx.xxx.xxx type ipsec-l2l
tunnel-group 12.xxx.xxx.xxx ipsec-attributes
 ikev1 pre-shared-key *****

Open in new window


Also, since this is Thanksgiving week, I will be slow to respond, but I will attempt to respond as quickly as possible. Thank you for any consideration.
0
Shane Kahkola
Asked:
Shane Kahkola
  • 3
  • 2
  • 2
1 Solution
 
Pete LongTechnical ConsultantCommented:
At first glance, On the Remote site;

crypto map CRMAP 10 match address LIBRARY
Dont match
access-list REMOTEL2L extended permit ip object REMOTEBLDG object MAINBLDG


P
0
 
Shane KahkolaDirector of I.T.Author Commented:
I double-checked my config and that entry is a sanitizing mistake.  My match address does match my Access-List name.  I can't figure out how to edit my post to fix that on here, sorry.
0
 
Pete LongTechnical ConsultantCommented:
NO Worries,

On both off them issue

management-access inside

then from each side try to ping the inside interface of the ASA in the OTHER site (if that replies then theres probably a NAT problem), if that does not reply somethings stating us in the face (or we need to update the code on the firewalls).

Does 'show cry isa' tell us theres a phase one tunnel established?
Does 'show cry ipsec sa' show packets being encrypted and decrypted.

Take a Look at my VPN Debugging stuff

P
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
arnoldCommented:
When vpn is established, run
Show crypto IPSec sa
Show crypto isakmp

To see whether the VPN interesting pattern is defined correctly.

As prior experts commented, it is not clear where you associate your ACL to the VPN tunnel given you are not exe,print outright ipsec/vpn traffic using the nonat rule given you seem to be configuring the ACL to allow all traffic between the locations.
0
 
Shane KahkolaDirector of I.T.Author Commented:
Arnold,
Can you clarify this statement for me?  I am not following what you mean:
you are not exe,print outright ipsec/vpn traffic

Pete,
I'm looking at your site now--in fact, I borrowed heavily from you in getting my tunnels up to begin with.
0
 
arnoldCommented:
You are using an ACL though you are not restricting anything.
Sysopt connection permit-ipsec
Sysopt connection permit-VPN

These will exempt IPSec/VPN traffic from ACL enforcement.

You have to also add remote lan IPs to make sure they are not being directed to the outside interface versus through the VPN tunnel.

I.e. Deny remote.
0
 
Shane KahkolaDirector of I.T.Author Commented:
Pete, your debug process on phase 1 and 2 helped me find the problem.  Issuing management-access inside on both devices, and starting a persistent ping brought up the tunnels.  I have two-way traffic now. Thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now