Solved

ACL Problems with L2L VPN on Cisco ASA (8.3 and 8.4)

Posted on 2016-11-23
8
12 Views
Last Modified: 2016-11-25
I have two ASAs:
MAIN BUILDING: ASA 5505 v. 8.3
REMOTE BUILDING: ASA 5505 v. 8.4

My tunnel is up according to my debug output--no errors. However, I'm sure I have an ACL or NAT issue.  Here is the pertinent config info.

MAIN BUILDING Config (8.3)
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.3.1 255.255.252.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 12.xxx.xxx.xxx 255.255.255.240

object-group network MAINBLDG
 network-object 172.16.0.0 255.255.252.0
object-group network REMOTEBLDG
 network-object 172.16.128.0 255.255.255.0

access-list 101 extended permit ip 172.16.0.0 255.255.252.0 172.16.128.0 255.255.255.0
access-list REMOTEL2L extended permit ip object-group MAINBLDG object-group REMOTEBLDG

nat (inside) 0 access-list 101

crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 65535 set transform-set TRANSFORM
crypto dynamic-map dynmap 65535 set reverse-route
crypto map CRMAP 10 match address REMOTEL2L
crypto map CRMAP 10 set peer 74.Xx.xx.xx [masqueraded by Admin]
crypto map CRMAP 10 set transform-set TRANSFORM
crypto map CRMAP 10 set reverse-route
crypto map CRMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 864000

tunnel-group 74.XXX.XXX.XXX type ipsec-l2l
tunnel-group 74.XXX.XXX.XXX ipsec-attributes
pre-shared-key *****

Open in new window


REMOTE BUILDING CONFIG (8.4)
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.128.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.xxx.xxx.xxx 255.255.255.252

object network REMOTEBLDG
 subnet 172.16.128.0 255.255.255.0
object network MAINBLDG
 subnet 172.16.0.0 255.255.252.0
object network INSIDENET
 subnet 172.16.128.0 255.255.255.0

access-list REMOTEL2L extended permit ip object REMOTEBLDG object MAINBLDG

nat (inside,any) source static REMOTEBLDG REMOTEBLDG destination static MAINBLDG MAINBLDG no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic INSIDENET interface

crypto ipsec ikev1 transform-set TRANSFORM esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 65535 set ikev1 transform-set TRANSFORM
crypto dynamic-map dynmap 65535 set reverse-route
crypto map CRMAP 10 match address LIBRARY
crypto map CRMAP 10 set peer 12.xxx.xxx.xxx
crypto map CRMAP 10 set ikev1 transform-set TRANSFORM
crypto map CRMAP 10 set reverse-route
crypto map CRMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRMAP interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

tunnel-group 12.xxx.xxx.xxx type ipsec-l2l
tunnel-group 12.xxx.xxx.xxx ipsec-attributes
 ikev1 pre-shared-key *****

Open in new window


Also, since this is Thanksgiving week, I will be slow to respond, but I will attempt to respond as quickly as possible. Thank you for any consideration.
0
Comment
Question by:Shane Kahkola
  • 3
  • 2
  • 2
8 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 41900194
At first glance, On the Remote site;

crypto map CRMAP 10 match address LIBRARY
Dont match
access-list REMOTEL2L extended permit ip object REMOTEBLDG object MAINBLDG


P
0
 
LVL 3

Author Comment

by:Shane Kahkola
ID: 41900441
I double-checked my config and that entry is a sanitizing mistake.  My match address does match my Access-List name.  I can't figure out how to edit my post to fix that on here, sorry.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 41900495
NO Worries,

On both off them issue

management-access inside

then from each side try to ping the inside interface of the ASA in the OTHER site (if that replies then theres probably a NAT problem), if that does not reply somethings stating us in the face (or we need to update the code on the firewalls).

Does 'show cry isa' tell us theres a phase one tunnel established?
Does 'show cry ipsec sa' show packets being encrypted and decrypted.

Take a Look at my VPN Debugging stuff

P
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 76

Expert Comment

by:arnold
ID: 41901063
When vpn is established, run
Show crypto IPSec sa
Show crypto isakmp

To see whether the VPN interesting pattern is defined correctly.

As prior experts commented, it is not clear where you associate your ACL to the VPN tunnel given you are not exe,print outright ipsec/vpn traffic using the nonat rule given you seem to be configuring the ACL to allow all traffic between the locations.
0
 
LVL 3

Author Comment

by:Shane Kahkola
ID: 41901754
Arnold,
Can you clarify this statement for me?  I am not following what you mean:
you are not exe,print outright ipsec/vpn traffic

Pete,
I'm looking at your site now--in fact, I borrowed heavily from you in getting my tunnels up to begin with.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41901875
You are using an ACL though you are not restricting anything.
Sysopt connection permit-ipsec
Sysopt connection permit-VPN

These will exempt IPSec/VPN traffic from ACL enforcement.

You have to also add remote lan IPs to make sure they are not being directed to the outside interface versus through the VPN tunnel.

I.e. Deny remote.
0
 
LVL 3

Author Closing Comment

by:Shane Kahkola
ID: 41901876
Pete, your debug process on phase 1 and 2 helped me find the problem.  Issuing management-access inside on both devices, and starting a persistent ping brought up the tunnels.  I have two-way traffic now. Thank you.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now