Any traffic sent through my IPsec tunnel
Hi support community,
I've been struggling for days which is - I guess - something very basic.
I have a router that I want to connect to my ASA via the VPN. This router has a dynamic IP, so I managed to make it appear the tunnel with a dynamic crypto map, and the router falls into the DefaultL2LGroup (I guess I have no choice anyway, at me if I'm wrong). So that part is OK now, the tunnel is UP.
However, SAA, I can see packets entering the tunnel but no package is removed from the ASA to the router.
ASA is a private network router and 192.168.250.0/24 has 192.168.242.0/24.
And here is the : configuration
Allow OPT_cryptomap_2 to access extended list ip 192.168.242.0 255.255.255.0
Dynamic crypto map CIPAC-ENERGY-VALE3 2 match address OPT_cryptomap_2
map OPT_map 2-isakmp dynamic ipsec CIPAC-ENERGY-VALE3 crypto
I do not understand what Miss me. I can not ping to the interface on the ASA (I have a permit icmp any one on the interface), but without success.
This means that packets are decpasulated and do not yet reach the virtual interface on the ASA?
Tunnel is UP:
Show the details of its crypto isakmp
IKE Peer: 180.214.xx.102
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
Encryption: aes - 256 Hash: SHA
AUTH: preshared Lifetime: 86400
See the crypto
address of the peers: 180.214.xx.102
Tag crypto map: CIPAC-ENERGY-VALE3, seq num: 2, local addr: 202.xxx.xx.14
Access extensive list ip 192.168.250.0 OPT_cryptomap_2 allow 255.255.255.0 192.168.242.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.250.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.242.0/255.255.255.0/0/0)
current_peer: 180.214.xx.102
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 90, #pkts decrypt: 80, #pkts check: 10
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#pkts not his (send): 0, invalid #pkts his (RRs): 0
#pkts program failed (send): 0, #pkts decaps failed (RRs): 0
#pkts invalid prot (RRs): 0, #pkts check failed: 0
invalid identity #pkts (RRs): #pkts invalid len (RRs), 5: 0
#pkts incorrect key (RRs): 0,
#pkts invalid ip version (RRs): 0,
replay reversal (send) #pkts: 0, #pkts replay reversal (RRs): 0
#pkts replay failed (RRs): 0
#pkts min frag mtu failed (send): bad frag offset 0, #pkts (RRs): 0
#pkts internal err (send): 0, #pkts internal err (RRs): 0
local crypto endpt. : 202.xxx.xx.14/0, remote Start crypto. : 180.214.xx.102/0
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: B30EBC2B
current inbound SPI: 52DD8189
Ping from the ASA interface to the router:
# Ping ASA001
TCP Ping [n]:
Interface: CLT-CIPAC-VALE (192.168.250.1)
Target IP address: 192.168.242.254
County of repeat: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Scan the range of sizes [n]:
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.242.254, wait time is 2 seconds:
?????
Success rate is 0% (0/5)
And still no traffic sent through the tunnel.
As I'm not familiar with IPSEC to help or guidelines of troubleshhot would be really appreciated, I've been through a lot of documentation (forums, guides for cisco and other items).
Best regards
Florian
If you try to ping the inside interface try 'management-access to inside' and see if it works.
Thank you
Tarik Admani
* Please note the useful messages *.
Tags: Cisco Security
Similar Questions
-
Cannot reach the destination of an IPSec tunnel through another IPSec tunnel
Hi all
I have a PIX 515E version 8.0 (2).
I have two remote sites connected to this PIX via IPSec tunnels.
Each remote site can reach local networks behind the PIX, but I can't reach remoteSiteB remoteSiteA.
Thus,.
SiteA <----- ipsec="" -----="">PIX1 SiteX <---------------->10.0.8.1 10.30.8.254
SiteB <----- ipsec="" -----="">PIX1 SiteX <---------------->10.0.8.1 10.138.34.21
SiteA can ping SiteX
SiteB can ping SiteX
SiteA cannot ping SiteB
SiteB cannot ping SiteA
If I do not show crypto isakmp ipsec his I see appropriate subnets:
Tag crypto map: CRYPTO-MAP, seq num: 4, local addr: 203.166.1.1
permit access-list ACLVPN-TO_SITEA ip 10.138.34.16 255.255.255.240 host 10.30.8.254
local ident (addr, mask, prot, port): (10.138.34.16/255.255.255.240/0/0)
Remote ident (addr, mask, prot, port): (10.30.8.254/255.255.255.255/0/0)
current_peer: 104.86.2.4
Tag crypto map: CRYPTO-MAP, seq num: 5, local addr: 203.166.1.1
access-list ACLVPN-TO_SITEB allowed host ip 10.30.8.254 10.138.34.16 255.255.255.240
local ident (addr, mask, prot, port): (10.30.8.254/255.255.255.255/0/0)
Remote ident (addr, mask, prot, port): (10.138.34.16/255.255.255.240/0/0)
current_peer: 216.178.200.200
Journal messages that seem to point to the problem...
April 18, 2013 13:27:35: % PIX-4-402116: IPSEC: received a package of ESP (SPI = 0xD51BB13A, sequence number = 0x21A) 104.86.2.4 (user = 104.86.2.4) at 203.166.1.1. Inside the package décapsulés does not match policy negotiated in the SA. The package indicates its destination as 10.138.34.21, its source as 10.30.8.254 and its Protocol 6. SA specifies its local proxy like 10.0.8.0/255.255.255.0/0/0 and his remote_proxy as 10.30.8.254/255.255.255.255/0/0
My question is really what I have to do something funky to allow traffic to pass between the two tunnels?
Hello
This could be much easier if we have seen the real configurations.
But here are some things to be confirmed in the configurations (some of them you mentioned above, but I still quote once again)
- Make sure that each firewall, you set the appropriate VPN L2L ACL
- Make sure that you have configured NAT0 on the central PIX "outside" interface for the Site A and Site B
- Make sure the Central PIX has "same-security-traffic permit intra-interface" configured. This will allow the Site traffic to enter the Central PIX 'outside' interface and head back on the same interface to Site B. And vice versa.
To view some actual configurations that may be required provided everything else is ok. (I assume that all devices are Cisco)
Central PIX
permit same-security-traffic intra-interface
A connection to the site
SITE-A-CRYPTOMAP of the 10.0.8.0 ip access list allow 255.255.255.0 host 10.30.8.254
SITE-A-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 host 10.30.8.254
Site B connection
SITE-B-CRYPTOMAP of the 10.0.8.0 ip access list allow 255.255.255.0 10.138.34.16 255.255.255.240
SITE-B-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.138.34.16 255.255.255.240
NAT0
access list for the INTERIOR-NAT0 allowed ip 10.0.8.0 255.255.255.0 host 10.30.8.254
access list for the INTERIOR-NAT0 allowed ip 10.0.8.0 255.255.255.0 10.138.34.16 255.255.255.240
NAT (inside) 0-list of access to the INTERIOR-NAT0
OUTSIDE-NAT0 allowed host ip 10.30.8.254 access list 10.138.34.16 255.255.255.240
OUTSIDE-NAT0 allowed ip 10.138.34.16 access list 255.255.255.240 host 10.30.8.254
NAT (outside) 0-list of access OUTSIDE-NAT0
Site has
CENTRAL-SITE-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.0.8.0 255.255.255.0
CENTRAL-SITE-CRYPTOMAP to the list of allowed access host ip 10.30.8.254 10.138.34.16 255.255.255.240
the INTERIOR-NAT0 allowed host ip 10.30.8.254 access list 10.0.8.0 255.255.255.0
the INTERIOR-NAT0 allowed host ip 10.30.8.254 access list 10.138.34.16 255.255.255.240
NAT (inside) 0-list of access to the INTERIOR-NAT0
Site B---------------->----->---------------->----->
CENTRAL-SITE-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 10.0.8.0 255.255.255.0
CENTRAL-SITE-CRYPTOMAP of the 10.138.34.16 ip access list allow 255.255.255.240 host 10.30.8.254
the INTERIOR-NAT0 allowed host ip 10.138.34.16 access list 255.255.255.240 10.0.8.0 255.255.255.0
the INTERIOR-NAT0 allowed host ip 10.138.34.16 access list 255.255.255.240 host 10.30.8.254
NAT (inside) 0-list of access to the INTERIOR-NAT0
Hope this helps
-Jouni
-
Hello
I have set up an ipsec tunnel between rv180 (site A) and asa5520 (site B) successful. The dhcp server to clients is on the B site. The dhcp clients request going through the tunnel, they leave the rv180 on the wan interface and arrive at site B with the wan-ipaddress from site A. The configured dhcp-relay on the website match the remote network (site B), configured in the on site A ipsec tunnel. Is there anyway that all traffic pass through the ipsec tunnel? We want it for security reasons.
Any help is greatly appreciated.
Ralf
Dear Ralf,
Thank you to reach small business support community.
Unfortunately the relay DHCP Relay not of DHCP request to the IPSec VPN tunnel. I hope that this answer to your question and do not hesitate to contact me if there is any additional help with what I can help you.
Kind regards
Jeffrey Rodriguez S... : | :. : | :.
Support Engineer Cisco client* Please rate the Post so other will know when an answer has been found.
-
IPSec tunnel and NetFlow packets
I have a router 1841 IPSec running with an ASA. F0/0 is the source interface. I also set up NetFlow, which must be sent through the IPSec tunnel to the parser. The acl setting the IPSec interesting traffic covers addresses, source and destination of NetFlow. But NetFlow Traffic is not captured by the tunnel. When I ping the destination router, icmp traffic is picked up and goes through the tunnel. Are there ways to force NetFlow traffic to go to the tunnel?
Thank you.
Y at - it a route to the destination address of netflow? I have noted problems with traffic heading towards a destination that was not in the routing table is not made down a VPN.
-
Traffic is failed on plain IPSec tunnel between two 892 s
Have a weird case and you are looking for some suggestions/thougs where to dig because I have exhausted the options.
Note: I replaced the Networkid real to a mentined below.
Topology: a classic IPSec VPN tunnel between two 892 s of Cisco, with pre-shared key and no GRE. A 892 (branch_892) has access to the Internet using PPPoE and has three network / VLAN behind it. A VLAN is coordinated to the PPPoE internet access. Access to the other two VLAN - VL92 (100.100.200.0/24) and VL93 (100.100.100.0/24) is performed via the VPN tunnel.
Second 892 (892_DC) has just one interface - WAN on Gigabit enabled/connected and a static route to the default GW. It doesn't have any defined interal network. If the router is strictly used to send traffic to VL92/VL93 to the domestic 892 via IPSec tunnel.
Here's the problem: access to VL93 (100.100.100.0/24) works, however for VL92 (100.100.100.0/24) - does not work.
Devices in VL92 I ping IP address of 892_DC through the VPN tunnel. The 892_DC router I can ping devices in VL92. However, I can't VL92 ping any device beyond the 892_DC and at the same time the packets arriving on 892_DC for VL92 are not sent through the VPN tunnel.
I took the package trace on 892_DC using capture point/buffer to nathalie caron to VL92 packages and saw that the traffic coming to the 892_DC. I run the nathalie caron even on Branch_892, and there was not a single package.
So... What's the problem? More interesting, I modified the way left on VL92 access list and still - no packets are sent through the tunnel.
Any idea? Two routers config are below
-------
892_DC #show ru
!
crypto ISAKMP policy 10
BA aes 256
hash sha256
preshared authentication
Group 2
isakmp encryption key * address 1.2.3.4
ISAKMP crypto keepalive 10 periodicals
!
address of 1.2.3.4 crypto isakmp peers
Description of-COIL-892
!
!
Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac
Crypto ipsec df - bit clear
!
map IT ipsec - IPSec crypto - Crypto - map 10-isakmp
defined peer 1.2.3.4
disable the kilobytes of life together - the security association
86400 seconds, life of security association set
the transform-set IT-IPSec-Transform-Set value
match a lists 101
market arriere-route
QoS before filing
!
interface GigabitEthernet0
IP 10,20,30,40 255.255.255.240
IP 1400 MTU
IP tcp adjust-mss 1360
automatic duplex
automatic speed
card crypto IT-IPSec-Crypto-map
!
IP route 0.0.0.0 0.0.0.0 10.20.30.41
!
access list 101 ip allow any 100.100.100.0 0.0.0.255 connect
access list 101 ip allow any 100.100.200.0 0.0.0.255 connect
-------------------------------------------------------------------------------------
Branch_892 #sh run
!
crypto ISAKMP policy 10
BA aes 256
hash sha256
preshared authentication
Group 2
isakmp encryption key * address 10,20,30,40
ISAKMP crypto keepalive 10 periodicals
!
address peer isakmp crypto 10,20,30,40
!
!
Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac
Crypto ipsec df - bit clear
!
map IT ipsec - IPSec crypto - Crypto - map 10-isakmp
defined peer 10,20,30,40
disable the kilobytes of life together - the security association
86400 seconds, life of security association set
the transform-set IT-IPSec-Transform-Set value
match address 101
market arriere-route
QoS before filing
!
FastEthernet6 interface
Description VL92
switchport access vlan 92
!
interface FastEthernet7
Description VL93
switchport access vlan 93
!
interface GigabitEthernet0
Description # to WAN #.
no ip address
automatic duplex
automatic speed
PPPoE-client dial-pool-number 1
!
interface Vlan1
Description # local to #.
IP 192.168.1.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Vlan92
Description fa6-nexus e100/0/40
IP 100.100.200.1 255.255.255.0
!
interface Vlan93
Description fa7-nexus e100/0/38
IP 100.100.100.1 255.255.255.0
!
interface Dialer0
no ip address
No cdp enable
!
interface Dialer1
IP 1.2.3.4 255.255.255.248
IP mtu 1454
NAT outside IP
IP virtual-reassembly in max-pumping 256
encapsulation ppp
IP tcp adjust-mss 1414
Dialer pool 1
Dialer-Group 1
Authentication callin PPP chap Protocol
PPP chap hostname ~ ~ ~
PPP chap password =.
No cdp enable
card crypto IT-IPSec-Crypto-map
!
Dialer-list 1 ip protocol allow
!
access-list 101 permit ip 100.100.100.0 0.0.0.255 any
access-list 101 permit ip 100.100.200.0 0.0.0.255 any
!
IP route 0.0.0.0 0.0.0.0 Dialer1
Yes correct sounds - so another possible problem is the routing is routing 100% correct on both sides? Can you put the two sides config for review?
-
Cisco's ASA IPsec tunnel disconnects after a while
Hi all
I've set up an IPsec tunnel between sonicwall pro road and cisco ASA 5510. The well established tunnel and two subnets can access each other.
I then added a static route to a public ip address on the sonicwall ipsec policy, so that all traffic to this ip address will go through the IPsec tunnel. It also works very well.
But the problem is aftre tunnel Ipsec sometimes breaks down, and then I need to renegotiate the ipsec on sonicwall to restore the tunnel.
This happens twice a day. I'm whther fear that this behavior is because of problems with config. I'm pasting my ASA running Setup here. Plese give some advice.
SonicWALL publicip 1.1.1.2 192.168.10.0 subnet
Cisco ASA publicip 1.1.1.1 subnet 192.168.5.0
ciscoasa # sh run
: Saved
:
ASA Version 8.2 (1)
!
ciscoasa hostname
domain default.domain.invalid
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
Speed 100
full duplex
nameif outside
security-level 0
IP 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
192.168.5.1 IP address 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
DNS domain-lookup outside
DNS lookup field inside
DNS server-group DefaultDNS
Server name 66.28.0.45
Server name 66.28.0.61
domain default.domain.invalid
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
object-group service rdp tcp
EQ port 3389 object
object-group service tcp OpenVPN
port-object eq 1194
access list outside extended permit icmp any any echo response
access list outside extended permit tcp any host # eq pptp
outside allowed extended access will list any host #.
list of extended outside access permit udp any any eq 1701
extended outdoor access allowed icmp a whole list
access list outside extended permit tcp any host # eq ftp
access list outside extended permit tcp any host # eq ssh
list of extended outside access permit tcp any host # object - group rdp
turn off journal
access list outside extended permit tcp any host 1.1.1.1 object - group Open
VPN
access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.5.0 255
. 255.255.0
access-list sheep extended ip 192.168.5.0 allow 255.255.255.0 192.168.10.0 255
. 255.255.0
L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.2
55.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
IP local pool ippool 192.168.5.131 - 192.168.5.151 mask 255.255.255.0
IP local pool l2tppool 192.168.5.155 - 192.168.5.200 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (outside) 1 192.168.10.0 255.255.255.0
NAT (outside) 1 192.168.5.0 255.255.255.0
NAT (inside) 0 access-list sheep
NAT (inside) 1 192.168.5.0 255.255.255.0
outside access-group in external interface
Route outside 0.0.0.0 0.0.0.0 38.106.51.121 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.5.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dynmap 5 the value reverse-road
Crypto easyvpn dynamic-map 10 transform-set RIGHT
Crypto-map dynamic easyvpn 10 reverse-drive value
card crypto mymap 10 correspondence address l2l
card crypto mymap 10 set peer 1.1.1.2
card crypto mymap 10 transform-set RIGHT
map mymap 30000-isakmp ipsec crypto dynamic easyvpn
mymap outside crypto map interface
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 3600
Telnet 192.168.5.0 255.255.255.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
Hello to tunnel L2TP 10
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 66.28.0.45 DNS server 66.28.0.61
Protocol-tunnel-VPN IPSec l2tp ipsec
field default value cisco.com
attributes of Group Policy DfltGrpPolicy
internal band easyvpn strategy
attributes of the strategy of band easyvpn
value of 66.28.0.45 DNS server 66.28.0.61
Protocol-tunnel-VPN IPSec
enable IPSec-udp
Split-tunnel-policy tunnelall
the address value ippool pools
VPN-group-policy DefaultRAGroup
attributes global-tunnel-group DefaultRAGroup
address l2tppool pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
ms-chap-v2 authentication
tunnel-group 1.1.1.2 type ipsec-l2l
1.1.1.2 tunnel-group ipsec-attributes
pre-shared-key *.
tunnel-group easyvpn type remote access
tunnel-group easyvpn General attributes
Group Policy - by default-easyvpn
easyvpn group tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the tftp
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:5542615c178d2803f764c9b8f104732b
: endI guess you have typo in the configuration of the ASA?
L2L 192.168.5.0 ip extended access-list allow 255.255.255.0 192.168.10.0 255.255.255.0
list access extended extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0Can you confirm that you have configured instead the following:
access-list l2l extended permitted host ip voip pubic ip 192.168.10.0 255.255.255.0
Moreover, even if the crypto map tag says easyvpn; peer address is correct to point 1.1.1.2
In addition, don't know why you have the following configuration (but if it is not necessary I suggest to be removed and 'clear xlate' after the withdrawal):
NAT (outside) 1 192.168.10.0 255.255.255.0
Finally, pls turn off keepalive to SonicWall.
If the foregoing still don't resolve the issue, can you try to remove the card dynamic encryption of the ASA (no map mymap 30000-isakmp ipsec crypto dynamic easyvpn), release the tunnel and try to open the tunnel between the ASA and SonicWall and take the exit of "show the isa cry his ' and ' show cry ipsec his» I'm curious to see why he is always referred to the easyvpn crypto map. When you remove the dynamic encryption card, dynamic vpn lan-to-lan of remote access client does not work.
-
ASA5505 - connection reset when you try to SSH IPSEC tunnel
Hello
VPN IPSEC just bought myself an ASA5505 to replace a PIX 501 and having been transferred to the bulk of the previous configuration, I managed to get the two tunnels to work as before.
Unfortunately when I try and SSH for the SAA the right connection restores instantly even when the tunnel is up. It seems as if the ASA actively refuses the connection, if the journal does not specify this. I had always assumed that the traffic on an established IPSEC tunnel has been implicitly trust and not subject to the usual rules of access list.
I can't SSH to the ASA in the 10.0.0.x range, but I can't SSH to a machine on 10.27.0.4 (I know the tunnel is up and working)
Reference attached config (less sensitive information not relevant).
Also - although I'm not sure of the relevance is given the tunnels seem to work - when I get the line "meepnet-map outside crypto map interface" in the reports of the ASA configuration mode "warning: the crypto map entry is incomplete!" even though I provided the access list, peers, and transform-set variables.
Any help gratefully received! :)
Thank you
DAZ
Hello Darren,
Please mark as answer, if your querry is resolved. Enjoy your time!
Kind regards
Ankur Thukral
Community Manager - security & VPN
-
How can I test the MTU size, through an IPSEC tunnel to an ASA 5520 to an ASA 5510? I have fears that problems with my equipment are due to the insufficient MTU size.
You can use extended ping to see the size of the package you can send through the tunnel with little DF
game do not fragment. for ex: -.
If you have two windows machines, one on each side of the vpn with ip add 10.2.2.10 and 10.3.3.10.
Ping 10.2.2.10 to help: -.
Ping 10.3.3.10
success of the response
Ping 10.3.3.10-l 1500 f {where-l 1500 sets the MTU to 1500 and f said do not fragment}
package has need to be fragmented but df set
package has need to be fragmented but df set
Ping 10.3.3.10-l 1300 f
the fragmentation of packets needs but df set
Ping 10.3.3.10 l - 1270 f
success of the response
success of the response
Thank you
Manish
-
GRE over IPSec tunnel cannot pass traffic through it
I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router.
Head office
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 5
ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
transport mode
!
map PLC - CUM 10 ipsec-isakmp crypto
defined by peer 167.134.216.89
game of transformation-IPSec_PLC
match address 100
!
!
!
Tunnel1 interface
bandwidth 1984
IP 167.134.216.94 255.255.255.252
Mtu 1476 IP
load-interval 30
source of tunnel Serial0/1/0:0
tunnel destination 167.134.216.89interface Serial0/1/0:0
IP 167.134.216.90 255.255.255.252
card crypto PLC - CUMaccess-list 100 permit gre 167.134.216.90 host 167.134.216.8
Router eigrp 100
network 167.134.216.92 0.0.0.3Directorate-General of the
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 5
ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
transport mode
!
map PLC - CUM 10 ipsec-isakmp crypto
defined by peer 167.134.216.90
game of transformation-IPSec_PLC
match address 100Tunnel1 interface
bandwidth 1984
IP 167.134.216.93 255.255.255.252
Mtu 1476 IP
load-interval 30
source of tunnel Serial1/0/0:1
tunnel destination 167.134.216.90interface Serial1/0/0:1
bandwidth 1984
IP 167.134.216.89 255.255.255.252
IP access-group 101 in
load-interval 30
no fair queue
card crypto PLC - CUMaccess-list 100 permit gre 167.134.216.89 host 167.134.216.90
ER-7600 #sh crypto isakmp his
conn-id State DST CBC slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0ER-3845 #sh crypto isakmp his
status of DST CBC State conn-id slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVEER-3845 #sh active cryptographic engine connections
Algorithm of address State IP Interface ID encrypt decrypt
3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0ER-7600 #sh active cryptographic engine connections
Algorithm of address State IP Interface ID encrypt decrypt
3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity
Please help, it's so frustrating...
Thanks in advance
Oscar
Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well.
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml
It may be useful
Manish
-
Routing access to Internet through an IPSec VPN Tunnel
Hello
I installed a VPN IPSec tunnel for a friend's business. At his desk at home, I installed a Cisco SA520 and at it is remote from the site I have a Cisco RVS4000. The IPSec VPN tunnel works very well. The remote site, it can hit all of its workstations and peripheral. I configured the RVS4000 working in router mode as opposed to the bridge. In the Home Office subnet is 192.168.1.0/24 while the subnet to the remote site is 192.168.2.0/24. The SA520 is configured as Internet gateway for the headquarters to 192.168.1.1. The remote desktop has a gateway 192.168.2.1.
I need to configure the remote site so that all Internet traffic will be routed via the Home Office. I have to make sure that whatever it is plugged into the Ethernet on the RVS4000 port will have its Internet traffic routed through the Internet connection on the SA520. Currently I can ping any device on the headquarters of the remote desktop, but I can't ping anything beyond the gateway (192.168.1.1) in the Home Office.
Any help would be greatly appreciated.
Thank you.
Hi William, the rvs4000 does not support the tunnel or esp transfer wild-card.
-
Unable to Ping hosts through IPSec Tunnel
I have a configuration of lab home with a PIX 515 running code 8.03. I've made several changes over the last week and now when I finish a VPN connection to the external interface, I'm unable to hit all internal resources. My VPN connection comes from a 10.22.254.0/24 trying to knock the internal nodes to 10.22.1.0/24, see below. When I finish a VPN connection with the inside interface works, so I guess that I'm dealing with a NAT problem? I have not idea why Phase 9 is a failure:-------. Any help would be great!
-------
IP 10.22.254.0 allow Access-list extended sheep 255.255.255.0 10.22.1.0 255.255.255.0
NAT (inside) 0 access-list sheep
-------
Global 1 interface (outside)
-------
access-list extended split allow ip 10.22.1.0 255.255.255.0 10.22.254.0 255.255.255.0
-------
Packet-trace entry inside tcp 10.22.1.15 1025 10.22.254.15 3389 detailed
Phase: 1
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new stream
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 0.0.0.0 0.0.0.0 outdoors
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x2bb3450, priority = 0, sector = option-ip-enabled, deny = true
hits = 17005, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x304ae48, priority = 12, area = ipsec-tunnel-flow, deny = true
hits = 17005, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
Phase: 5
Type: NAT-FREE
Subtype:
Result: ALLOW
Config:
NAT (inside) 0 access-list sheep
NAT-control
is the intellectual property inside 10.22.1.0 outside 10.22.254.0 255.255.255.0 255.255.255.0
Exempt from NAT
translate_hits = 6, untranslate_hits = 5
Additional information:
Direct flow from returns search rule:
ID = 0x2be2a00, priority = 6, free = area of nat, deny = false
Hits = 5, user_data is 0x2be2960, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0
DST ip = 10.22.254.0, mask is 255.255.255.0, port = 0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside, DMZ) 10.22.1.0 10.22.1.0 netmask 255.255.255.0
NAT-control
is the intellectual property inside 10.22.1.0 255.255.255.0 DMZ all
static translation at 10.22.1.0
translate_hits = 10, untranslate_hits = 0
Additional information:
Direct flow from returns search rule:
ID = 0x2d52800, priority = 5, area = host, deny = false
hits = 21654, user_data = 0x2d51dc8, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0
DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT-control
is the intellectual property inside everything outside of any
dynamic translation of hen 1 (192.168.20.20 [Interface PAT])
translate_hits = 2909, untranslate_hits = 9
Additional information:
Direct flow from returns search rule:
ID = 0x2d4a7d0, priority = 1, sector = nat, deny = false
hits = 16973, user_data = 0x2d4a730, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0 x 3328000, priority = 70, domain = encrypt, deny = false
hits = 0, user_data is 0x1efa0cc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 10.22.1.0, mask is 255.255.255.0, port = 0
DST ip = 10.0.0.0, mask is 255.0.0.0, port = 0
Phase: 9
Type: ACCESS-LIST
Subtype: ipsec-user
Result: DECLINE
Config:
Additional information:
Direct flow from returns search rule:
ID = 0x3329a48, priority = 69, domain = ipsec - user, deny = true
Hits = 37, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =
DST ip = 10.0.0.0, mask is 255.0.0.0, port = 0
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured rule
No, the sheep ACL requires that defining the internal network traffic to the
Pool VPN. You must remove the other entries.
Delete:
allowed to Access-list sheep line 8 extended ip 10.22.254.0 255.255.255.0 DM_INLINE_NETWORK_18 object-group
allowed to Access-list sheep line 8 extended ip 10.22.254.0 255.255.255.0 10.22.1.0 255.255.255.0 -
Tunnel traffic inside IPSEC tunnel
Hello world
Site has a Site B through ASA IP Sec Tunnel.
Now turn on Site a GRE tunnel and the tunnel destination is happening inside the IPSEC tunnel.
In other words, IPSEC tunnel between 2 sites also leads the GRE Tunnel traffic.
Who's in charge, I can run on ASA whether IPSEC is transport traffic of the GRE tunnel or
Which line in config ASA will tell me that this IPSEC also conducts traffic GRE tunnel?
Thank you
MAhesh
Hello
I think that you will probably see GRE in the ASA connection table when the connection is in use.
You can try the command
Show conn | Volition Inc.
And see if this produceses matter what exit.
Can you possibly provide "interface Tunnelx" configurations and if its using other interfaces such as 'tunnel source' and 'destination tunnel' then their configurations also.
-Jouni
-
force the IPSec tunnel to stay in place even if no traffic
Hello
We had exactly the same problem, as already described here;
https://supportforums.Cisco.com/discussion/11666661/can-we-automatically...
We actually run ASA 9.1 and the remote peer is a Fortigate. There is a new feature that has been introduced since the post on the forum above or fact creating an sla is the only way to follow IPsec tunnel.
Concerning
Nothing new was built in the SAA to take account of this requirement.
I also had good results a script running on an internal host to send a "tcp" ping to a remote host, thus making sure traffic interesting was often enough to maintain the tunnel.
-
EIGRP plain IPsec tunnel?
Hi all
I was always under the impression that plain IPsec pass through the tunnel unicast IP traffic.
When I need pass non-unicast or non - IP traffic, I created an IPsec with GRE or VTI.
But I am currently on the customer site where all EIGRP routes are exchanged between sites that communicate through a single tunnel ordinary IPsec.
I have added/changed/deleted routes on both sides, and the changes are reflected on the routing of the other table.
The neighbors are not statically configured on the router, configuring EIGRP is simply 'no Auto-resume', then 'network 172.16.0.0'
My question is...
How is it all EIGRP traffic is going through the tunnel without any problem?
Both are 2811 s 12.4 (18) running
Thanks for any help!
Federico.
Federico
Indeed, I believe that this is the case. It is quite clear according to the additional information that you have posted that these two routers are connected directly (in this case connected via FastEthernet) and connection interfaces running EIGRP, so that the EIGRP Hellos are sent the FastEthernet interfaces. The access list has failed for EIGRP, so there is no effort to encrypt the Hellos and they are sent in the clear. If routers become neighbors and EIGRP updates are sent through the FastEthernet interfaces. Data destinations that are learned traffic is sent on the FastEthernet interfaces, and when data traffic matches access list it is encrypted by IPSec.
HTH
Rick
-
DROP in flow of the IPSec tunnel
Hello
I am trying to use a VPN, who worked on one connection ASA months on ASA9.1 (2). I've updated to ASA9.1 11 (6) and it has stopped working.
This is the remote ASA5505s making an IPSEC connection-a network head 5520. I can ride preceding and following 2 and 11 9.1 9.1 (6) and while the configuration does not change, the VPN starts working on 9.1 2
Vpn connects, but there is no packets sent or received...
I get this packet tracer...
Output of the command: "packet - trace entry tcp teeessyou 192.168.190.2 5000 192.168.195.1 detail 80.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xae1308e8, priority = 1, domain = allowed, deny = false
hits = 622, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
input_ifc = teeessyou, output_ifc = anyPhase: 2
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.195.1/80 to 192.168.195.1/80Phase: 3
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:
Access-group teeessyou_access_in in the teeessyou interface
teeessyou_access_in of access allowed any ip an extended list
Additional information:
Direct flow from returns search rule:
ID = 0xae24d310, priority = 13, area = allowed, deny = false
hits = 622, user_data is 0xab6b23c0, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = anyPhase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
Additional information:
Definition of static 192.168.190.2/5000 to 192.168.190.2/5000
Direct flow from returns search rule:
ID = 0xae1ea5a8, priority = 6, area = nat, deny = false
hits = 622, user_data is 0xae1e9c58, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=192.168.192.0 DST, mask is 255.255.224.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = externalPhase: 5
Type: NAT
Subtype: volatile
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xa9678858, priority = 1, domain = nat-volatile, deny = true
hits = 105, user_data = 0 x 0, cs_id = 0 x 0, reverse, use_real_addr, flags = 0 x 0, Protocol = 6
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = none, output_ifc = anyPhase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xae136910, priority = 0, sector = inspect-ip-options, deny = true
hits = 622, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = anyPhase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xaeec4328, priority = 70, domain = encrypt, deny = false
hits = 65, user_data is 0xb7dc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=192.168.195.0 DST, mask is 255.255.255.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = none, output_ifc = externalPhase: 8
Type: NAT
Subtype: rpf check
Result: ALLOW
Config:
NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
Additional information:
Direct flow from returns search rule:
ID = 0xae1eae48, priority = 6, area = nat-reversed, deny = false
hits = 129, user_data is 0xae1e9d10, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=192.168.192.0 DST, mask is 255.255.224.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = externalPhase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DECLINE
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xaea9f6b0, priority = 69 = ipsec-tunnel-flow area, deny = false
hits = 129, user_data = 0 x 0, cs_id = 0xaea999c0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.192.0 SRC, mask = 255.255.224.0, port = 0, = 0 tag
IP/ID=192.168.190.0 DST, mask is 255.255.255.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = out, output_ifc = anyHello Spencerallsop,
I recommend to add the keyword "no-proxy-arp" the end of the NAT statement, so the ASA try to answer queries ARP for the traffic(VPN interesting traffic), also this last phase 9 usually shows ignored due to a filter VPN defined in sometimes group policy, make sure you have not a filter VPN in a group policy that affect this tunnel then you will need to do the following:
1. remove the NAT statement:
-no nat (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
2 fix the NAT statement with the keyword "No.-proxy-arp" :
-nat (teeessyou, outside) static source any any destination static teeessyou_ENCODERS teeessyou_ENCODERS non-proxy-arp
3 disable the VPN ISA SA:
-claire crypto ikev1 his
4. run the packet tracer to check that the L2L has developed,
To be honest I wouldn't recommend move you to 9.1.7 since it has some problems with the ARP entries, and it affects AnyConnect SSL somehow, which is still under investigation.
In fact, this bug affects 9.1.7 (may affect your environment):
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy28710
Please don't forget to rate and score as of this post, keep me posted!
Kind regards
David Castro,
Maybe you are looking for
-
IPhone 6s more crash, don't panic
My iphone crashes while I was using it and went into panic mode... Anyone give some extra information?
-
Unable to add the printer connection
Add a new workstation to a domain, and when I try to use a printer on the network, I get this error when choosing a printer.
-
I have a Windows Vista Home Premium on my PC. I kept getting the icon on the lower right of the screen "new updates are available to the general public" everytime "Windows updates have been installed properly" installed". Please advise how can I get
-
Why am I unable to send e-mail with windows live mail on Windows Vista
I can receive but can't send email Here is the error... "A TCP/IP error occurred trying to connect to the server. Object "XXX". "Server: ' is correct." Windows Live Mail error ID: 0x800CCC15 Protocol: SMTP Port: 25 Secure (SSL): No. Would certainly a
-
Windows 7 Home Premium OA BA68 - 05435A LATAM
Need Windows 7 is installed on your laptop NP700G7Ain the bottom of the laptop sticker pasted the following text is displayed: Windows 7 Home Premium OA BA68 - 05435A LATAM Thank you for the problems since lost laptop recovery CD and I need this SO