[c-nsp] ASA: site-to-site vpn to cisco router.

Wed Oct 31 19:26:45 EDT 2012

try "management-access inside"

On 10/27/2012 06:44 PM, sky vader wrote:
> Hi,
>
> I thought the below is to permit traffic between same interface but in
> my case its different interfaces (outside / inside) between different
> security level (0 / 100).
>
> Used the below w/ no avail.
>
> ciscoasa#same-security-traffic permit intra-interface
>
> I even tried,
>
> ciscoasa#same-security-traffic permit inter-interface
>
> Still no luck.
>
>
> regards,
> sky
>
>
> On 10/27/2012 02:22 PM, Randy wrote:
>> Hello,
>> IIRC hairpinning is disabled by default on ASA. You have to enable via:
>>
>> "same-security traffic permit intra-interface"
>>
>> ./Randy
>>
>> --- On Sat, 10/27/12, sky vader <aptgetd at gmail.com> wrote:
>>
>>> From: sky vader <aptgetd at gmail.com>
>>> Subject: [c-nsp] ASA: site-to-site vpn to cisco router.
>>> To: cisco-nsp at puck.nether.net
>>> Date: Saturday, October 27, 2012, 10:34 AM
>>> Hi,
>>>
>>> I have a very basic lab site to site vpn setup where I have
>>> a ASA 5505
>>> running v7.2(4) on one side and a cisco 2811 on the other
>>> side.
>>>
>>> What my issue?
>>>
>>> I can't seem to ping from cisco 2811 to the 'inside' network
>>> of ASA (see
>>> config below) and can't seem to ping from ASA 'inside'
>>> network to the
>>> 'outside' network towards cisco 2811 even w/ an ICMP ACL
>>> permit outside
>>> in. However I'm able to ping within ASA inside network &
>>> ping cisco 2811
>>> side w/ packets leaving ASA 'outside' interface just fine.
>>>
>>>
>>> example:
>>> -------
>>> ciscoasa# ping inside 10.20.20.1 (to cisco loopback1 from
>>> ASA inside)
>>> Type escape sequence to abort.
>>> Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2
>>> seconds:
>>> ?????
>>> Success rate is 0 percent (0/5)
>>>
>>>
>>> ciscoasa# ping outside 10.20.20.1 (to cisco loopback1 from
>>> ASA outside
>>> interface)
>>> Type escape sequence to abort.
>>> Sending 5, 100-byte ICMP Echos to 10.20.20.1, timeout is 2
>>> seconds:
>>> !!!!!
>>> Success rate is 100 percent (5/5), round-trip min/avg/max =
>>> 1/1/1 ms
>>>
>>>
>>>
>>> ; ASA5505 config:
>>> ----------------
>>>
>>> ciscoasa#
>>>
>>> ASA Version 7.2(4)
>>> !
>>> hostname ciscoasa
>>> enable password 2KFQnbNIdI.2KYOU encrypted
>>> passwd 2KFQnbNIdI.2KYOU encrypted
>>> names
>>> !
>>> interface Vlan1
>>>   nameif inside
>>>   security-level 100
>>>   ip address 10.10.10.1 255.255.255.0
>>> !
>>> interface Vlan2
>>>   nameif outside
>>>   security-level 0
>>>   ip address 192.168.1.2 255.255.255.0
>>> !
>>> interface Ethernet0/0
>>>   desc outside facing
>>>   switchport access vlan 2
>>> !
>>> interface Ethernet0/1
>>>   desc inside facing
>>> !
>>> interface Ethernet0/2
>>>   shutdown
>>> !
>>> interface Ethernet0/3
>>>   shutdown
>>> !
>>> interface Ethernet0/4
>>>   shutdown
>>> !
>>> interface Ethernet0/5
>>>   shutdown
>>> !
>>> interface Ethernet0/6
>>>   shutdown
>>> !
>>> interface Ethernet0/7
>>>   shutdown
>>> !
>>> ftp mode passive
>>> access-list INBOUND extended permit icmp any any echo
>>> access-list INBOUND extended permit icmp any any echo-reply
>>> access-list INBOUND extended permit icmp any any
>>> time-exceeded
>>> access-list nonat extended permit ip 10.10.10.0
>>> 255.255.255.0 10.20.20.0
>>> 255.255.255.0
>>> access-list outside_1_cryptomap extended permit ip
>>> 10.10.10.0
>>> 255.255.255.0 10.20.20.0 255.255.255.0
>>> access-list OUTBOUND extended permit icmp any any echo
>>> access-list OUTBOUND extended permit icmp any any
>>> echo-reply
>>> access-list OUTBOUND extended permit icmp any any
>>> time-exceeded
>>> pager lines 24
>>> mtu inside 1500
>>> mtu outside 1500
>>> icmp unreachable rate-limit 1 burst-size 1
>>> asdm image disk0:/asdm-524.bin
>>> no asdm history enable
>>> arp timeout 14400
>>> nat (inside) 0 access-list nonat
>>> access-group OUTBOUND in interface inside
>>> access-group INBOUND in interface outside
>>> route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
>>> timeout xlate 3:00:00
>>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
>>> 0:00:02
>>> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp
>>> 0:05:00 mgcp-pat
>>> 0:05:00
>>> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
>>> sip-disconnect
>>> 0:02:00
>>> timeout sip-provisional-media 0:02:00 uauth 0:05:00
>>> absolute
>>> no snmp-server location
>>> no snmp-server contact
>>> snmp-server enable traps snmp authentication linkup linkdown
>>> coldstart
>>> crypto ipsec transform-set ASA5505 esp-aes esp-md5-hmac
>>> crypto map outside_map 1 match address outside_1_cryptomap
>>> crypto map outside_map 1 set pfs
>>> crypto map outside_map 1 set peer 192.168.1.1
>>> crypto map outside_map 1 set transform-set ASA5505
>>> crypto map outside_map interface outside
>>> crypto isakmp enable outside
>>> crypto isakmp policy 10
>>>   authentication pre-share
>>>   encryption 3des
>>>   hash md5
>>>   group 2
>>>   lifetime 86400
>>> telnet timeout 5
>>> ssh 0.0.0.0 0.0.0.0 outside
>>> ssh timeout 30
>>> console timeout 0
>>>
>>> tunnel-group 192.168.1.1 type ipsec-l2l
>>> tunnel-group 192.168.1.1 ipsec-attributes
>>>   pre-shared-key *
>>> !
>>> class-map inspection_default
>>>   match default-inspection-traffic
>>> !
>>> !
>>> policy-map type inspect dns preset_dns_map
>>>   parameters
>>>    message-length maximum 512
>>> policy-map global_policy
>>>   class inspection_default
>>>    inspect dns preset_dns_map
>>>    inspect ftp
>>>    inspect h323 h225
>>>    inspect h323 ras
>>>    inspect rsh
>>>    inspect rtsp
>>>    inspect esmtp
>>>    inspect sqlnet
>>>    inspect skinny
>>>    inspect sunrpc
>>>    inspect xdmcp
>>>    inspect sip
>>>    inspect netbios
>>>    inspect tftp
>>> !
>>>
>>>
>>> ; cisco 2811 config:
>>> ------------------
>>>
>>>   HUB-RTR-2811#
>>>
>>> !
>>> version 12.4
>>> service timestamps debug datetime msec
>>> service timestamps log datetime msec
>>> service password-encryption
>>> !
>>> hostname HUB-RTR-2811
>>> !
>>> boot-start-marker
>>> boot system flash:c2800nm-adventerprisek9-mz.124-11.XJ4.bin
>>> boot-end-marker
>>> !
>>> logging buffered 51200 warnings
>>> !
>>> no aaa new-model
>>> no network-clock-participate wic 0
>>> !
>>> !
>>> ip cef
>>> !
>>> !
>>> no ip domain lookup
>>> !
>>> multilink bundle-name authenticated
>>> !
>>> !
>>> voice-card 0
>>>   no dspfarm
>>> !
>>> !
>>> crypto pki trustpoint TP-self-signed-2814333580
>>>   enrollment selfsigned
>>>   subject-name cn=IOS-Self-Signed-Certificate-2814333580
>>>   revocation-check none
>>>   rsakeypair TP-self-signed-2814333580
>>> !
>>> !
>>> crypto pki certificate chain TP-self-signed-2814333580
>>>   certificate self-signed 01
>>>    30820244 308201AD A0030201 02020101 300D0609 2A864886
>>> F70D0101 04050030
>>>    31312F30 2D060355 04031326 494F532D 53656C66 2D536967
>>> 6E65642D 43657274
>>>    69666963 6174652D 32383134 33333335 3830301E 170D3132
>>> 30323230 32303339
>>>    30325A17 0D323030 31303130 30303030 305A3031 312F302D
>>> 06035504 03132649
>>>    4F532D53 656C662D 5369676E 65642D43 65727469 66696361
>>> 74652D32 38313433
>>>    33333538 3030819F 300D0609 2A864886 F70D0101 01050003
>>> 818D0030 81890281
>>>    8100C499 0DC0E3DA 208E0AA9 4F97E9F5 8C763232 DDFBAE93
>>> BA44EAED 456E8B5E
>>>    1253F5C2 E84E4718 F3371C84 1F9A687E E4C3B422 DAD4AAFA
>>> 06378D22 74CBB1B4
>>>    C7946A78 347B0999 82857B13 797E57FE B3EECCDB 2C64F831
>>> C2405D8D 37AF6044
>>>    99E45243 B6C04972 E558EF9B D2CFA990 C1813329 6FD120E9
>>> CB9050E1 16E02F3D
>>>    ACBB0203 010001A3 6C306A30 0F060355 1D130101 FF040530
>>> 030101FF 30170603
>>>    551D1104 10300E82 0C485542 2D525452 2D323831 31301F06
>>> 03551D23 04183016
>>>    801493C4 BA29E1DF 658929BF 57BBC58C 53974EB8 7472301D
>>> 0603551D 0E041604
>>>    1493C4BA 29E1DF65 8929BF57 BBC58C53 974EB874 72300D06
>>> 092A8648 86F70D01
>>>    01040500 03818100 5EE53EC6 C6E77238 E4C8409B 0372EFA5
>>> C413316F 9725372D
>>>    3F0F2362 37E4E870 09A1E109 EE5A78DD 6BD46334 9831A0A1
>>> 33FC3EE8 B5DADE15
>>>    F288817A B88044C5 9EAA69DF FF76CE52 B161E1CD C85C3F9D
>>> 776F87B2 B874DA42
>>>    35B160D7 92A0E439 B1C2D4BA 3D13206C 9547D3B3 81A74925
>>> A453DE1B D003E2D8
>>>    B7AB0C47 FED8B737
>>>    quit
>>> !
>>> !
>>> controller T1 0/0/0
>>>   framing esf
>>>   linecode b8zs
>>>   channel-group 0 timeslots 1-24
>>> !
>>> controller T1 0/0/1
>>>   framing esf
>>>   linecode b8zs
>>>   channel-group 0 timeslots 1-24
>>> vlan internal allocation policy ascending
>>> !
>>> !
>>> crypto isakmp policy 1
>>>   encr 3des
>>>   hash md5
>>>   authentication pre-share
>>>   group 2
>>> crypto isakmp key cisco address 192.168.1.2
>>> !
>>> !
>>> crypto ipsec transform-set 2811 esp-aes esp-md5-hmac
>>> !
>>> crypto map MYMAP 1 ipsec-isakmp
>>>   set peer 192.168.1.2
>>>   set security-association lifetime seconds 86400
>>>   set transform-set 2811
>>>   set pfs group2
>>>   match address net-local-to-remote
>>> !
>>>
>>> interface Loopback1
>>>   desc inside network
>>>   ip address 10.20.20.1 255.255.255.0
>>> !
>>> interface FastEthernet0/0
>>>   description connection to ASA5505 ipsec tunnel
>>>   ip address 192.168.1.1 255.255.255.0
>>>   duplex auto
>>>   speed auto
>>>   crypto map MYMAP
>>> !
>>> interface FastEthernet0/1
>>>   no ip address
>>>   shutdown
>>>   duplex auto
>>>   speed auto
>>> !
>>> interface Serial0/0/0:0
>>>   no ip address
>>>   shutdown
>>> !
>>> interface Serial0/0/1:0
>>>   no ip address
>>>   shutdown
>>> !
>>> interface Serial0/2/0
>>>   no ip address
>>>   shutdown
>>> !
>>> interface FastEthernet1/0
>>>   no switchport
>>>   no ip address
>>>   duplex full
>>>   speed 100
>>> !
>>> interface FastEthernet1/1
>>>   no switchport
>>>   no ip address
>>>   shutdown
>>> !
>>> interface FastEthernet1/2
>>> !
>>> interface FastEthernet1/3
>>> !
>>> interface FastEthernet1/4
>>> !
>>> interface FastEthernet1/5
>>> !
>>> interface FastEthernet1/6
>>> !
>>> interface FastEthernet1/7
>>> !
>>> interface FastEthernet1/8
>>> !
>>> interface FastEthernet1/9
>>> !
>>> interface FastEthernet1/10
>>> !
>>> interface FastEthernet1/11
>>>   no switchport
>>>   no ip address
>>> !
>>> interface FastEthernet1/12
>>> !
>>> interface FastEthernet1/13
>>> !
>>> interface FastEthernet1/14
>>> !
>>> interface FastEthernet1/15
>>> !
>>> interface Vlan1
>>>   no ip address
>>>   shutdown
>>> !
>>> ip route 0.0.0.0 0.0.0.0 192.168.1.2
>>> !
>>> !
>>> no ip http server
>>> no ip http secure-server
>>> !
>>> ip access-list extended net-local-to-remote
>>>   permit ip 10.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
>>> !
>>>
>>> control-plane
>>> !
>>>
>>> line con 0
>>>   logging synchronous
>>> line aux 0
>>> line vty 0 4
>>>   privilege level 15
>>>   logging synchronous
>>>   login local
>>>   transport input telnet ssh
>>> line vty 5 15
>>>   privilege level 15
>>>   login local
>>>   transport input telnet ssh
>>> !
>>> scheduler allocate 20000 1000
>>> !
>>> end
>>>
>>>
>>>
>>> ; Prior to the tunnel coming up on 2811
>>> --------------------------------------
>>>
>>> HUB-RTR-2811#show crypto session
>>> Crypto session current status
>>>
>>> Interface: FastEthernet0/0
>>> Session status: DOWN
>>> Peer: 192.168.1.2 port 500
>>>    IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0
>>> 10.10.10.0/255.255.255.0
>>>          Active SAs: 0, origin: crypto
>>> map
>>>
>>>
>>> ; Pushing interesting traffic via ping on 2811 w/ no
>>> response, however
>>> ipsec tunnel comes up.
>>> -------------------------------------------------------
>>>
>>> HUB-RTR-2811#ping 10.10.10.1 source loopback1 (pinging
>>> towards inside of
>>> ASA)
>>>
>>> Type escape sequence to abort.
>>> Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2
>>> seconds:
>>> Packet sent with a source address of 10.20.20.1
>>> .....
>>> Success rate is 0 percent (0/5)
>>>
>>>
>>> HUB-RTR-2811#ping 10.10.10.10 source loopback1 (pinging
>>> towards inside
>>> of ASA)
>>>
>>> Type escape sequence to abort.
>>> Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2
>>> seconds:
>>> Packet sent with a source address of 10.20.20.1
>>> .....
>>> Success rate is 0 percent (0/5)
>>>
>>>
>>> ; ipsec tunnel comes up even though ping fails
>>> --------------------------------------------
>>>
>>> HUB-RTR-2811#show crypto session
>>> Crypto session current status
>>>
>>> Interface: FastEthernet0/0
>>> Session status: UP-ACTIVE
>>> Peer: 192.168.1.2 port 500
>>>    IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500
>>> Active
>>>    IPSEC FLOW: permit ip 10.20.20.0/255.255.255.0
>>> 10.10.10.0/255.255.255.0
>>>          Active SAs: 2, origin: crypto
>>> map
>>>
>>>
>>> Any insight/pointers will be appreciated.
>>>
>>> I appreciate your time/help.
>>>
>>>
>>> regards,
>>> sky
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/