[c-nsp] ASA: site-to-site vpn to cisco router.

Randy randy_94108 at yahoo.com
Sat Oct 27 17:22:42 EDT 2012 

Hello,
IIRC hairpinning is disabled by default on ASA. You have to enable via:

"same-security traffic permit intra-interface"

./Randy

--- On Sat, 10/27/12, sky vader <aptgetd at gmail.com> wrote:

> From: sky vader <aptgetd at gmail.com>
> Subject: [c-nsp] ASA: site-to-site vpn to cisco router.
> To: cisco-nsp at puck.nether.net
> Date: Saturday, October 27, 2012, 10:34 AM
> Hi,
> 
> I have a very basic lab site to site vpn setup where I have
> a ASA 5505
> running v7.2(4) on one side and a cisco 2811 on the other
> side.
> 
> What my issue?
> 
> I can't seem to ping from cisco 2811 to the 'inside' network
> of ASA (see
> config below) and can't seem to ping from ASA 'inside'
> network to the
> 'outside' network towards cisco 2811 even w/ an ICMP ACL
> permit outside
> in. However I'm able to ping within ASA inside network &
> ping cisco 2811
> side w/ packets leaving ASA 'outside' interface just fine.
> 
> 
> example:
> -------
> ciscoasa# ping inside 10.20.20.1 (to cisco loopback1 from
> ASA inside)
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2
> seconds:
> ?????
> Success rate is 0 percent (0/5)
> 
> 
> ciscoasa# ping outside 10.20.20.1 (to cisco loopback1 from
> ASA outside
> interface)
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2
> seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max =
> 1/1/1 ms
> 
> 
> 
> ; ASA5505 config:
> ----------------
> 
> ciscoasa#
> 
> ASA Version 7.2(4)
> !
> hostname ciscoasa
> enable password 2KFQnbNIdI.2KYOU encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> names
> !
> interface Vlan1
>  nameif inside
>  security-level 100
>  ip address 10.10.10.1 255.255.255.0
> !
> interface Vlan2
>  nameif outside
>  security-level 0
>  ip address 192.168.1.2 255.255.255.0
> !
> interface Ethernet0/0
>  desc outside facing
>  switchport access vlan 2
> !
> interface Ethernet0/1
>  desc inside facing
> !
> interface Ethernet0/2
>  shutdown
> !
> interface Ethernet0/3
>  shutdown
> !
> interface Ethernet0/4
>  shutdown
> !
> interface Ethernet0/5
>  shutdown
> !
> interface Ethernet0/6
>  shutdown
> !
> interface Ethernet0/7
>  shutdown
> !
> ftp mode passive
> access-list INBOUND extended permit icmp any any echo
> access-list INBOUND extended permit icmp any any echo-reply
> access-list INBOUND extended permit icmp any any
> time-exceeded
> access-list nonat extended permit ip 10.10.10.0
> 255.255.255.0 10.20.20.0
> 255.255.255.0
> access-list outside_1_cryptomap extended permit ip
> 10.10.10.0
> 255.255.255.0 10.20.20.0 255.255.255.0
> access-list OUTBOUND extended permit icmp any any echo
> access-list OUTBOUND extended permit icmp any any
> echo-reply
> access-list OUTBOUND extended permit icmp any any
> time-exceeded
> pager lines 24
> mtu inside 1500
> mtu outside 1500
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdm-524.bin
> no asdm history enable
> arp timeout 14400
> nat (inside) 0 access-list nonat
> access-group OUTBOUND in interface inside
> access-group INBOUND in interface outside
> route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
> 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp
> 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
> sip-disconnect
> 0:02:00
> timeout sip-provisional-media 0:02:00 uauth 0:05:00
> absolute
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown
> coldstart
> crypto ipsec transform-set ASA5505 esp-aes esp-md5-hmac
> crypto map outside_map 1 match address outside_1_cryptomap
> crypto map outside_map 1 set pfs
> crypto map outside_map 1 set peer 192.168.1.1
> crypto map outside_map 1 set transform-set ASA5505
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
>  authentication pre-share
>  encryption 3des
>  hash md5
>  group 2
>  lifetime 86400
> telnet timeout 5
> ssh 0.0.0.0 0.0.0.0 outside
> ssh timeout 30
> console timeout 0
> 
> tunnel-group 192.168.1.1 type ipsec-l2l
> tunnel-group 192.168.1.1 ipsec-attributes
>  pre-shared-key *
> !
> class-map inspection_default
>  match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
>  parameters
>   message-length maximum 512
> policy-map global_policy
>  class inspection_default
>   inspect dns preset_dns_map
>   inspect ftp
>   inspect h323 h225
>   inspect h323 ras
>   inspect rsh
>   inspect rtsp
>   inspect esmtp
>   inspect sqlnet
>   inspect skinny
>   inspect sunrpc
>   inspect xdmcp
>   inspect sip
>   inspect netbios
>   inspect tftp
> !
> 
> 
> ; cisco 2811 config:
> ------------------
> 
>  HUB-RTR-2811#
> 
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> service password-encryption
> !
> hostname HUB-RTR-2811
> !
> boot-start-marker
> boot system flash:c2800nm-adventerprisek9-mz.124-11.XJ4.bin
> boot-end-marker
> !
> logging buffered 51200 warnings
> !
> no aaa new-model
> no network-clock-participate wic 0
> !
> !
> ip cef
> !
> !
> no ip domain lookup
> !
> multilink bundle-name authenticated
> !
> !
> voice-card 0
>  no dspfarm
> !
> !
> crypto pki trustpoint TP-self-signed-2814333580
>  enrollment selfsigned
>  subject-name cn=IOS-Self-Signed-Certificate-2814333580
>  revocation-check none
>  rsakeypair TP-self-signed-2814333580
> !
> !
> crypto pki certificate chain TP-self-signed-2814333580
>  certificate self-signed 01
>   30820244 308201AD A0030201 02020101 300D0609 2A864886
> F70D0101 04050030
>   31312F30 2D060355 04031326 494F532D 53656C66 2D536967
> 6E65642D 43657274
>   69666963 6174652D 32383134 33333335 3830301E 170D3132
> 30323230 32303339
>   30325A17 0D323030 31303130 30303030 305A3031 312F302D
> 06035504 03132649
>   4F532D53 656C662D 5369676E 65642D43 65727469 66696361
> 74652D32 38313433
>   33333538 3030819F 300D0609 2A864886 F70D0101 01050003
> 818D0030 81890281
>   8100C499 0DC0E3DA 208E0AA9 4F97E9F5 8C763232 DDFBAE93
> BA44EAED 456E8B5E
>   1253F5C2 E84E4718 F3371C84 1F9A687E E4C3B422 DAD4AAFA
> 06378D22 74CBB1B4
>   C7946A78 347B0999 82857B13 797E57FE B3EECCDB 2C64F831
> C2405D8D 37AF6044
>   99E45243 B6C04972 E558EF9B D2CFA990 C1813329 6FD120E9
> CB9050E1 16E02F3D
>   ACBB0203 010001A3 6C306A30 0F060355 1D130101 FF040530
> 030101FF 30170603
>   551D1104 10300E82 0C485542 2D525452 2D323831 31301F06
> 03551D23 04183016
>   801493C4 BA29E1DF 658929BF 57BBC58C 53974EB8 7472301D
> 0603551D 0E041604
>   1493C4BA 29E1DF65 8929BF57 BBC58C53 974EB874 72300D06
> 092A8648 86F70D01
>   01040500 03818100 5EE53EC6 C6E77238 E4C8409B 0372EFA5
> C413316F 9725372D
>   3F0F2362 37E4E870 09A1E109 EE5A78DD 6BD46334 9831A0A1
> 33FC3EE8 B5DADE15
>   F288817A B88044C5 9EAA69DF FF76CE52 B161E1CD C85C3F9D
> 776F87B2 B874DA42
>   35B160D7 92A0E439 B1C2D4BA 3D13206C 9547D3B3 81A74925
> A453DE1B D003E2D8
>   B7AB0C47 FED8B737
>   quit
> !
> !
> controller T1 0/0/0
>  framing esf
>  linecode b8zs
>  channel-group 0 timeslots 1-24
> !
> controller T1 0/0/1
>  framing esf
>  linecode b8zs
>  channel-group 0 timeslots 1-24
> vlan internal allocation policy ascending
> !
> !
> crypto isakmp policy 1
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2
> crypto isakmp key cisco address 192.168.1.2
> !
> !
> crypto ipsec transform-set 2811 esp-aes esp-md5-hmac
> !
> crypto map MYMAP 1 ipsec-isakmp
>  set peer 192.168.1.2
>  set security-association lifetime seconds 86400
>  set transform-set 2811
>  set pfs group2
>  match address net-local-to-remote
> !
> 
> interface Loopback1
>  desc inside network
>  ip address 10.20.20.1 255.255.255.0
> !
> interface FastEthernet0/0
>  description connection to ASA5505 ipsec tunnel
>  ip address 192.168.1.1 255.255.255.0
>  duplex auto
>  speed auto
>  crypto map MYMAP
> !
> interface FastEthernet0/1
>  no ip address
>  shutdown
>  duplex auto
>  speed auto
> !
> interface Serial0/0/0:0
>  no ip address
>  shutdown
> !
> interface Serial0/0/1:0
>  no ip address
>  shutdown
> !
> interface Serial0/2/0
>  no ip address
>  shutdown
> !
> interface FastEthernet1/0
>  no switchport
>  no ip address
>  duplex full
>  speed 100
> !
> interface FastEthernet1/1
>  no switchport
>  no ip address
>  shutdown
> !
> interface FastEthernet1/2
> !
> interface FastEthernet1/3
> !
> interface FastEthernet1/4
> !
> interface FastEthernet1/5
> !
> interface FastEthernet1/6
> !
> interface FastEthernet1/7
> !
> interface FastEthernet1/8
> !
> interface FastEthernet1/9
> !
> interface FastEthernet1/10
> !
> interface FastEthernet1/11
>  no switchport
>  no ip address
> !
> interface FastEthernet1/12
> !
> interface FastEthernet1/13
> !
> interface FastEthernet1/14
> !
> interface FastEthernet1/15
> !
> interface Vlan1
>  no ip address
>  shutdown
> !
> ip route 0.0.0.0 0.0.0.0 192.168.1.2
> !
> !
> no ip http server
> no ip http secure-server
> !
> ip access-list extended net-local-to-remote
>  permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
> !
> 
> control-plane
> !
> 
> line con 0
>  logging synchronous
> line aux 0
> line vty 0 4
>  privilege level 15
>  logging synchronous
>  login local
>  transport input telnet ssh
> line vty 5 15
>  privilege level 15
>  login local
>  transport input telnet ssh
> !
> scheduler allocate 20000 1000
> !
> end
> 
> 
> 
> ; Prior to the tunnel coming up on 2811
> --------------------------------------
> 
> HUB-RTR-2811#show crypto session
> Crypto session current status
> 
> Interface: FastEthernet0/0
> Session status: DOWN
> Peer: 192.168.1.2 port 500
>   IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0
> 10.10.10.0/255.255.255.0
>         Active SAs: 0, origin: crypto
> map
> 
> 
> ; Pushing interesting traffic via ping on 2811 w/ no
> response, however
> ipsec tunnel comes up.
> -------------------------------------------------------
> 
> HUB-RTR-2811#ping 10.10.10.1 source loopback1 (pinging
> towards inside of
> ASA)
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2
> seconds:
> Packet sent with a source address of 10.20.20.1
> .....
> Success rate is 0 percent (0/5)
> 
> 
> HUB-RTR-2811#ping 10.10.10.10 source loopback1 (pinging
> towards inside
> of ASA)
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2
> seconds:
> Packet sent with a source address of 10.20.20.1
> .....
> Success rate is 0 percent (0/5)
> 
> 
> ; ipsec tunnel comes up even though ping fails
> --------------------------------------------
> 
> HUB-RTR-2811#show crypto session
> Crypto session current status
> 
> Interface: FastEthernet0/0
> Session status: UP-ACTIVE
> Peer: 192.168.1.2 port 500
>   IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500
> Active
>   IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0
> 10.10.10.0/255.255.255.0
>         Active SAs: 2, origin: crypto
> map
> 
> 
> Any insight/pointers will be appreciated.
> 
> I appreciate your time/help.
> 
> 
> regards,
> sky
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list