[c-nsp] ASA: site-to-site vpn to cisco router.

sky vader aptgetd at gmail.com
Sat Oct 27 18:44:38 EDT 2012 

Hi,

I thought the below is to permit traffic between same interface but in
my case its different interfaces (outside / inside) between different
security level (0 / 100).

Used the below w/ no avail.

ciscoasa#same-security-traffic permit intra-interface

I even tried,

ciscoasa#same-security-traffic permit inter-interface

Still no luck.


regards,
sky


On 10/27/2012 02:22 PM, Randy wrote:
> Hello,
> IIRC hairpinning is disabled by default on ASA. You have to enable via:
> 
> "same-security traffic permit intra-interface"
> 
> ./Randy
> 
> --- On Sat, 10/27/12, sky vader <aptgetd at gmail.com> wrote:
> 
>> From: sky vader <aptgetd at gmail.com>
>> Subject: [c-nsp] ASA: site-to-site vpn to cisco router.
>> To: cisco-nsp at puck.nether.net
>> Date: Saturday, October 27, 2012, 10:34 AM
>> Hi,
>>
>> I have a very basic lab site to site vpn setup where I have
>> a ASA 5505
>> running v7.2(4) on one side and a cisco 2811 on the other
>> side.
>>
>> What my issue?
>>
>> I can't seem to ping from cisco 2811 to the 'inside' network
>> of ASA (see
>> config below) and can't seem to ping from ASA 'inside'
>> network to the
>> 'outside' network towards cisco 2811 even w/ an ICMP ACL
>> permit outside
>> in. However I'm able to ping within ASA inside network &
>> ping cisco 2811
>> side w/ packets leaving ASA 'outside' interface just fine.
>>
>>
>> example:
>> -------
>> ciscoasa# ping inside 10.20.20.1 (to cisco loopback1 from
>> ASA inside)
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2
>> seconds:
>> ?????
>> Success rate is 0 percent (0/5)
>>
>>
>> ciscoasa# ping outside 10.20.20.1 (to cisco loopback1 from
>> ASA outside
>> interface)
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2
>> seconds:
>> !!!!!
>> Success rate is 100 percent (5/5), round-trip min/avg/max =
>> 1/1/1 ms
>>
>>
>>
>> ; ASA5505 config:
>> ----------------
>>
>> ciscoasa#
>>
>> ASA Version 7.2(4)
>> !
>> hostname ciscoasa
>> enable password 2KFQnbNIdI.2KYOU encrypted
>> passwd 2KFQnbNIdI.2KYOU encrypted
>> names
>> !
>> interface Vlan1
>>  nameif inside
>>  security-level 100
>>  ip address 10.10.10.1 255.255.255.0
>> !
>> interface Vlan2
>>  nameif outside
>>  security-level 0
>>  ip address 192.168.1.2 255.255.255.0
>> !
>> interface Ethernet0/0
>>  desc outside facing
>>  switchport access vlan 2
>> !
>> interface Ethernet0/1
>>  desc inside facing
>> !
>> interface Ethernet0/2
>>  shutdown
>> !
>> interface Ethernet0/3
>>  shutdown
>> !
>> interface Ethernet0/4
>>  shutdown
>> !
>> interface Ethernet0/5
>>  shutdown
>> !
>> interface Ethernet0/6
>>  shutdown
>> !
>> interface Ethernet0/7
>>  shutdown
>> !
>> ftp mode passive
>> access-list INBOUND extended permit icmp any any echo
>> access-list INBOUND extended permit icmp any any echo-reply
>> access-list INBOUND extended permit icmp any any
>> time-exceeded
>> access-list nonat extended permit ip 10.10.10.0
>> 255.255.255.0 10.20.20.0
>> 255.255.255.0
>> access-list outside_1_cryptomap extended permit ip
>> 10.10.10.0
>> 255.255.255.0 10.20.20.0 255.255.255.0
>> access-list OUTBOUND extended permit icmp any any echo
>> access-list OUTBOUND extended permit icmp any any
>> echo-reply
>> access-list OUTBOUND extended permit icmp any any
>> time-exceeded
>> pager lines 24
>> mtu inside 1500
>> mtu outside 1500
>> icmp unreachable rate-limit 1 burst-size 1
>> asdm image disk0:/asdm-524.bin
>> no asdm history enable
>> arp timeout 14400
>> nat (inside) 0 access-list nonat
>> access-group OUTBOUND in interface inside
>> access-group INBOUND in interface outside
>> route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
>> timeout xlate 3:00:00
>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
>> 0:00:02
>> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp
>> 0:05:00 mgcp-pat
>> 0:05:00
>> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
>> sip-disconnect
>> 0:02:00
>> timeout sip-provisional-media 0:02:00 uauth 0:05:00
>> absolute
>> no snmp-server location
>> no snmp-server contact
>> snmp-server enable traps snmp authentication linkup linkdown
>> coldstart
>> crypto ipsec transform-set ASA5505 esp-aes esp-md5-hmac
>> crypto map outside_map 1 match address outside_1_cryptomap
>> crypto map outside_map 1 set pfs
>> crypto map outside_map 1 set peer 192.168.1.1
>> crypto map outside_map 1 set transform-set ASA5505
>> crypto map outside_map interface outside
>> crypto isakmp enable outside
>> crypto isakmp policy 10
>>  authentication pre-share
>>  encryption 3des
>>  hash md5
>>  group 2
>>  lifetime 86400
>> telnet timeout 5
>> ssh 0.0.0.0 0.0.0.0 outside
>> ssh timeout 30
>> console timeout 0
>>
>> tunnel-group 192.168.1.1 type ipsec-l2l
>> tunnel-group 192.168.1.1 ipsec-attributes
>>  pre-shared-key *
>> !
>> class-map inspection_default
>>  match default-inspection-traffic
>> !
>> !
>> policy-map type inspect dns preset_dns_map
>>  parameters
>>   message-length maximum 512
>> policy-map global_policy
>>  class inspection_default
>>   inspect dns preset_dns_map
>>   inspect ftp
>>   inspect h323 h225
>>   inspect h323 ras
>>   inspect rsh
>>   inspect rtsp
>>   inspect esmtp
>>   inspect sqlnet
>>   inspect skinny
>>   inspect sunrpc
>>   inspect xdmcp
>>   inspect sip
>>   inspect netbios
>>   inspect tftp
>> !
>>
>>
>> ; cisco 2811 config:
>> ------------------
>>
>>  HUB-RTR-2811#
>>
>> !
>> version 12.4
>> service timestamps debug datetime msec
>> service timestamps log datetime msec
>> service password-encryption
>> !
>> hostname HUB-RTR-2811
>> !
>> boot-start-marker
>> boot system flash:c2800nm-adventerprisek9-mz.124-11.XJ4.bin
>> boot-end-marker
>> !
>> logging buffered 51200 warnings
>> !
>> no aaa new-model
>> no network-clock-participate wic 0
>> !
>> !
>> ip cef
>> !
>> !
>> no ip domain lookup
>> !
>> multilink bundle-name authenticated
>> !
>> !
>> voice-card 0
>>  no dspfarm
>> !
>> !
>> crypto pki trustpoint TP-self-signed-2814333580
>>  enrollment selfsigned
>>  subject-name cn=IOS-Self-Signed-Certificate-2814333580
>>  revocation-check none
>>  rsakeypair TP-self-signed-2814333580
>> !
>> !
>> crypto pki certificate chain TP-self-signed-2814333580
>>  certificate self-signed 01
>>   30820244 308201AD A0030201 02020101 300D0609 2A864886
>> F70D0101 04050030
>>   31312F30 2D060355 04031326 494F532D 53656C66 2D536967
>> 6E65642D 43657274
>>   69666963 6174652D 32383134 33333335 3830301E 170D3132
>> 30323230 32303339
>>   30325A17 0D323030 31303130 30303030 305A3031 312F302D
>> 06035504 03132649
>>   4F532D53 656C662D 5369676E 65642D43 65727469 66696361
>> 74652D32 38313433
>>   33333538 3030819F 300D0609 2A864886 F70D0101 01050003
>> 818D0030 81890281
>>   8100C499 0DC0E3DA 208E0AA9 4F97E9F5 8C763232 DDFBAE93
>> BA44EAED 456E8B5E
>>   1253F5C2 E84E4718 F3371C84 1F9A687E E4C3B422 DAD4AAFA
>> 06378D22 74CBB1B4
>>   C7946A78 347B0999 82857B13 797E57FE B3EECCDB 2C64F831
>> C2405D8D 37AF6044
>>   99E45243 B6C04972 E558EF9B D2CFA990 C1813329 6FD120E9
>> CB9050E1 16E02F3D
>>   ACBB0203 010001A3 6C306A30 0F060355 1D130101 FF040530
>> 030101FF 30170603
>>   551D1104 10300E82 0C485542 2D525452 2D323831 31301F06
>> 03551D23 04183016
>>   801493C4 BA29E1DF 658929BF 57BBC58C 53974EB8 7472301D
>> 0603551D 0E041604
>>   1493C4BA 29E1DF65 8929BF57 BBC58C53 974EB874 72300D06
>> 092A8648 86F70D01
>>   01040500 03818100 5EE53EC6 C6E77238 E4C8409B 0372EFA5
>> C413316F 9725372D
>>   3F0F2362 37E4E870 09A1E109 EE5A78DD 6BD46334 9831A0A1
>> 33FC3EE8 B5DADE15
>>   F288817A B88044C5 9EAA69DF FF76CE52 B161E1CD C85C3F9D
>> 776F87B2 B874DA42
>>   35B160D7 92A0E439 B1C2D4BA 3D13206C 9547D3B3 81A74925
>> A453DE1B D003E2D8
>>   B7AB0C47 FED8B737
>>   quit
>> !
>> !
>> controller T1 0/0/0
>>  framing esf
>>  linecode b8zs
>>  channel-group 0 timeslots 1-24
>> !
>> controller T1 0/0/1
>>  framing esf
>>  linecode b8zs
>>  channel-group 0 timeslots 1-24
>> vlan internal allocation policy ascending
>> !
>> !
>> crypto isakmp policy 1
>>  encr 3des
>>  hash md5
>>  authentication pre-share
>>  group 2
>> crypto isakmp key cisco address 192.168.1.2
>> !
>> !
>> crypto ipsec transform-set 2811 esp-aes esp-md5-hmac
>> !
>> crypto map MYMAP 1 ipsec-isakmp
>>  set peer 192.168.1.2
>>  set security-association lifetime seconds 86400
>>  set transform-set 2811
>>  set pfs group2
>>  match address net-local-to-remote
>> !
>>
>> interface Loopback1
>>  desc inside network
>>  ip address 10.20.20.1 255.255.255.0
>> !
>> interface FastEthernet0/0
>>  description connection to ASA5505 ipsec tunnel
>>  ip address 192.168.1.1 255.255.255.0
>>  duplex auto
>>  speed auto
>>  crypto map MYMAP
>> !
>> interface FastEthernet0/1
>>  no ip address
>>  shutdown
>>  duplex auto
>>  speed auto
>> !
>> interface Serial0/0/0:0
>>  no ip address
>>  shutdown
>> !
>> interface Serial0/0/1:0
>>  no ip address
>>  shutdown
>> !
>> interface Serial0/2/0
>>  no ip address
>>  shutdown
>> !
>> interface FastEthernet1/0
>>  no switchport
>>  no ip address
>>  duplex full
>>  speed 100
>> !
>> interface FastEthernet1/1
>>  no switchport
>>  no ip address
>>  shutdown
>> !
>> interface FastEthernet1/2
>> !
>> interface FastEthernet1/3
>> !
>> interface FastEthernet1/4
>> !
>> interface FastEthernet1/5
>> !
>> interface FastEthernet1/6
>> !
>> interface FastEthernet1/7
>> !
>> interface FastEthernet1/8
>> !
>> interface FastEthernet1/9
>> !
>> interface FastEthernet1/10
>> !
>> interface FastEthernet1/11
>>  no switchport
>>  no ip address
>> !
>> interface FastEthernet1/12
>> !
>> interface FastEthernet1/13
>> !
>> interface FastEthernet1/14
>> !
>> interface FastEthernet1/15
>> !
>> interface Vlan1
>>  no ip address
>>  shutdown
>> !
>> ip route 0.0.0.0 0.0.0.0 192.168.1.2
>> !
>> !
>> no ip http server
>> no ip http secure-server
>> !
>> ip access-list extended net-local-to-remote
>>  permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
>> !
>>
>> control-plane
>> !
>>
>> line con 0
>>  logging synchronous
>> line aux 0
>> line vty 0 4
>>  privilege level 15
>>  logging synchronous
>>  login local
>>  transport input telnet ssh
>> line vty 5 15
>>  privilege level 15
>>  login local
>>  transport input telnet ssh
>> !
>> scheduler allocate 20000 1000
>> !
>> end
>>
>>
>>
>> ; Prior to the tunnel coming up on 2811
>> --------------------------------------
>>
>> HUB-RTR-2811#show crypto session
>> Crypto session current status
>>
>> Interface: FastEthernet0/0
>> Session status: DOWN
>> Peer: 192.168.1.2 port 500
>>   IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0
>> 10.10.10.0/255.255.255.0
>>         Active SAs: 0, origin: crypto
>> map
>>
>>
>> ; Pushing interesting traffic via ping on 2811 w/ no
>> response, however
>> ipsec tunnel comes up.
>> -------------------------------------------------------
>>
>> HUB-RTR-2811#ping 10.10.10.1 source loopback1 (pinging
>> towards inside of
>> ASA)
>>
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2
>> seconds:
>> Packet sent with a source address of 10.20.20.1
>> .....
>> Success rate is 0 percent (0/5)
>>
>>
>> HUB-RTR-2811#ping 10.10.10.10 source loopback1 (pinging
>> towards inside
>> of ASA)
>>
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2
>> seconds:
>> Packet sent with a source address of 10.20.20.1
>> .....
>> Success rate is 0 percent (0/5)
>>
>>
>> ; ipsec tunnel comes up even though ping fails
>> --------------------------------------------
>>
>> HUB-RTR-2811#show crypto session
>> Crypto session current status
>>
>> Interface: FastEthernet0/0
>> Session status: UP-ACTIVE
>> Peer: 192.168.1.2 port 500
>>   IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500
>> Active
>>   IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0
>> 10.10.10.0/255.255.255.0
>>         Active SAs: 2, origin: crypto
>> map
>>
>>
>> Any insight/pointers will be appreciated.
>>
>> I appreciate your time/help.
>>
>>
>> regards,
>> sky
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>

More information about the cisco-nsp mailing list