[c-nsp] ASA: site-to-site vpn to cisco router.

sky vader aptgetd at gmail.com
Sat Oct 27 13:34:21 EDT 2012


Hi,

I have a very basic lab site to site vpn setup where I have a ASA 5505
running v7.2(4) on one side and a cisco 2811 on the other side.

What my issue?

I can't seem to ping from cisco 2811 to the 'inside' network of ASA (see
config below) and can't seem to ping from ASA 'inside' network to the
'outside' network towards cisco 2811 even w/ an ICMP ACL permit outside
in. However I'm able to ping within ASA inside network & ping cisco 2811
side w/ packets leaving ASA 'outside' interface just fine.


example:
-------
ciscoasa# ping inside 10.20.20.1 (to cisco loopback1 from ASA inside)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)


ciscoasa# ping outside 10.20.20.1 (to cisco loopback1 from ASA outside
interface)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms



; ASA5505 config:
----------------

ciscoasa#

ASA Version 7.2(4)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/0
 desc outside facing
 switchport access vlan 2
!
interface Ethernet0/1
 desc inside facing
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
access-list INBOUND extended permit icmp any any echo
access-list INBOUND extended permit icmp any any echo-reply
access-list INBOUND extended permit icmp any any time-exceeded
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.20.20.0
255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.10.0
255.255.255.0 10.20.20.0 255.255.255.0
access-list OUTBOUND extended permit icmp any any echo
access-list OUTBOUND extended permit icmp any any echo-reply
access-list OUTBOUND extended permit icmp any any time-exceeded
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
access-group OUTBOUND in interface inside
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ASA5505 esp-aes esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 192.168.1.1
crypto map outside_map 1 set transform-set ASA5505
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0

tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!


; cisco 2811 config:
------------------

 HUB-RTR-2811#

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HUB-RTR-2811
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.124-11.XJ4.bin
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
no network-clock-participate wic 0
!
!
ip cef
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
voice-card 0
 no dspfarm
!
!
crypto pki trustpoint TP-self-signed-2814333580
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2814333580
 revocation-check none
 rsakeypair TP-self-signed-2814333580
!
!
crypto pki certificate chain TP-self-signed-2814333580
 certificate self-signed 01
  30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32383134 33333335 3830301E 170D3132 30323230 32303339
  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38313433
  33333538 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C499 0DC0E3DA 208E0AA9 4F97E9F5 8C763232 DDFBAE93 BA44EAED 456E8B5E
  1253F5C2 E84E4718 F3371C84 1F9A687E E4C3B422 DAD4AAFA 06378D22 74CBB1B4
  C7946A78 347B0999 82857B13 797E57FE B3EECCDB 2C64F831 C2405D8D 37AF6044
  99E45243 B6C04972 E558EF9B D2CFA990 C1813329 6FD120E9 CB9050E1 16E02F3D
  ACBB0203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
  551D1104 10300E82 0C485542 2D525452 2D323831 31301F06 03551D23 04183016
  801493C4 BA29E1DF 658929BF 57BBC58C 53974EB8 7472301D 0603551D 0E041604
  1493C4BA 29E1DF65 8929BF57 BBC58C53 974EB874 72300D06 092A8648 86F70D01
  01040500 03818100 5EE53EC6 C6E77238 E4C8409B 0372EFA5 C413316F 9725372D
  3F0F2362 37E4E870 09A1E109 EE5A78DD 6BD46334 9831A0A1 33FC3EE8 B5DADE15
  F288817A B88044C5 9EAA69DF FF76CE52 B161E1CD C85C3F9D 776F87B2 B874DA42
  35B160D7 92A0E439 B1C2D4BA 3D13206C 9547D3B3 81A74925 A453DE1B D003E2D8
  B7AB0C47 FED8B737
  quit
!
!
controller T1 0/0/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 0/0/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
vlan internal allocation policy ascending
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 192.168.1.2
!
!
crypto ipsec transform-set 2811 esp-aes esp-md5-hmac
!
crypto map MYMAP 1 ipsec-isakmp
 set peer 192.168.1.2
 set security-association lifetime seconds 86400
 set transform-set 2811
 set pfs group2
 match address net-local-to-remote
!

interface Loopback1
 desc inside network
 ip address 10.20.20.1 255.255.255.0
!
interface FastEthernet0/0
 description connection to ASA5505 ipsec tunnel
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
 crypto map MYMAP
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0:0
 no ip address
 shutdown
!
interface Serial0/0/1:0
 no ip address
 shutdown
!
interface Serial0/2/0
 no ip address
 shutdown
!
interface FastEthernet1/0
 no switchport
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1/1
 no switchport
 no ip address
 shutdown
!
interface FastEthernet1/2
!
interface FastEthernet1/3
!
interface FastEthernet1/4
!
interface FastEthernet1/5
!
interface FastEthernet1/6
!
interface FastEthernet1/7
!
interface FastEthernet1/8
!
interface FastEthernet1/9
!
interface FastEthernet1/10
!
interface FastEthernet1/11
 no switchport
 no ip address
!
interface FastEthernet1/12
!
interface FastEthernet1/13
!
interface FastEthernet1/14
!
interface FastEthernet1/15
!
interface Vlan1
 no ip address
 shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
!
no ip http server
no ip http secure-server
!
ip access-list extended net-local-to-remote
 permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!

control-plane
!

line con 0
 logging synchronous
line aux 0
line vty 0 4
 privilege level 15
 logging synchronous
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end



; Prior to the tunnel coming up on 2811
--------------------------------------

HUB-RTR-2811#show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: DOWN
Peer: 192.168.1.2 port 500
  IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0 10.10.10.0/255.255.255.0
        Active SAs: 0, origin: crypto map


; Pushing interesting traffic via ping on 2811 w/ no response, however
ipsec tunnel comes up.
-------------------------------------------------------

HUB-RTR-2811#ping 10.10.10.1 source loopback1 (pinging towards inside of
ASA)

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 10.20.20.1
.....
Success rate is 0 percent (0/5)


HUB-RTR-2811#ping 10.10.10.10 source loopback1 (pinging towards inside
of ASA)

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 10.20.20.1
.....
Success rate is 0 percent (0/5)


; ipsec tunnel comes up even though ping fails
--------------------------------------------

HUB-RTR-2811#show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.1.2 port 500
  IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500 Active
  IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0 10.10.10.0/255.255.255.0
        Active SAs: 2, origin: crypto map


Any insight/pointers will be appreciated.

I appreciate your time/help.


regards,
sky



More information about the cisco-nsp mailing list