tag:blogger.com,1999:blog-8835703246872043895.post7027183637159920498..comments2023-06-06T01:42:01.645-03:00Comments on Packets Never Lie: Route-based IPsec VPN on ASARenato Moraishttp://www.blogger.com/profile/04653987274197780429noreply@blogger.comBlogger37125tag:blogger.com,1999:blog-8835703246872043895.post-49371939033154098072016-11-24T06:05:06.683-02:002016-11-24T06:05:06.683-02:00but, I created NAT statements for test:
object ne...but, I created NAT statements for test:<br /><br />object network any-network<br /> subnet 0.0.0.0 0.0.0.0<br />nat (inside,outside) source static any-network any-network destination static any-network any-network no-proxy-arp route-lookup<br />nat (outside,inside) source static any-network any-network destination static any-network any-network no-proxy-arp route-lookup<br /><br />problem is exist still. Do you can test such communication in your lab-environment?LuckyMhttps://www.blogger.com/profile/02114664503109814821noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-83519740907902948902016-11-23T19:21:18.011-02:002016-11-23T19:21:18.011-02:00no, I do not use NAT rules, because it is "ro...no, I do not use NAT rules, because it is "route-based VPN".LuckyMhttps://www.blogger.com/profile/02114664503109814821noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-43427255576208312502016-11-23T19:17:56.081-02:002016-11-23T19:17:56.081-02:00Do you have NAT rules? Check this bug report: CSCt...Do you have NAT rules? Check this bug report: CSCtr16184Renato Moraishttps://www.blogger.com/profile/04653987274197780429noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-38897187206641729202016-11-23T19:03:28.876-02:002016-11-23T19:03:28.876-02:00I thing that icmp acl's for interfaces are unn...I thing that icmp acl's for interfaces are unnecessary, because all the traffic is tunnelled (thanks to cryptomap). Icmp traffic between LANs of sites is working correctly.LuckyMhttps://www.blogger.com/profile/02114664503109814821noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-58448531749283469452016-11-23T18:56:45.997-02:002016-11-23T18:56:45.997-02:00Check the logs. You must find something useful the...Check the logs. You must find something useful there, otherwise you will need to troubleshoot using debugs and ASP type captures.Renato Moraishttps://www.blogger.com/profile/04653987274197780429noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-20790317851606982712016-11-23T18:54:23.300-02:002016-11-23T18:54:23.300-02:00I found it (management-access inside) and this is ...I found it (management-access inside) and this is not help.LuckyMhttps://www.blogger.com/profile/02114664503109814821noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-1653960836160699852016-11-23T18:48:35.989-02:002016-11-23T18:48:35.989-02:00Have you enabled "management access" com...Have you enabled "management access" command and added icmp rules?<br />http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_management.html#wp1064497Renato Moraishttps://www.blogger.com/profile/04653987274197780429noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-57659171165862045992016-11-23T18:44:51.672-02:002016-11-23T18:44:51.672-02:00Hello,
I can not ping inside of ASA (10.1.0.1 255...Hello,<br /><br />I can not ping inside of ASA (10.1.0.1 255.255.255.0) from hosts within 10.2.0.0/24 network and ping hosts within 10.2.0.0/24 directly from ASA (10.1.0.1 255.255.255.0).<br />What's wrong?LuckyMhttps://www.blogger.com/profile/02114664503109814821noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-46842868365984059422016-05-21T13:50:24.713-03:002016-05-21T13:50:24.713-03:00It sounds like a routing problem between the peers...It sounds like a routing problem between the peers. Do you see IKE traffic on the local gateway?Renato Moraishttps://www.blogger.com/profile/04653987274197780429noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-64884808930784131262016-05-21T09:00:30.906-03:002016-05-21T09:00:30.906-03:00Hello,
I have followed the same IP addressing as ...Hello,<br /><br />I have followed the same IP addressing as above except am using a physical interface for vpn instead of a sub-interface however am facing an issue.<br /><br />interface Ethernet0/2<br /> nameif vpn<br /> security-level 0<br /> ip address 172.16.200.2 255.255.255.0<br /><br />route vpn 172.31.200.2 255.255.255.255 172.16.200.1 1<br />route vpn 10.2.0.0 255.255.255.0 172.31.200.2 1<br /><br />I can see traffic coming in from inside interface but the firewall as per routes above is sending ARPs for 172.16.200.1 on the interface vpn. However I can see the phase-1 being attempted but stuck in MM_WAIT_MSG2. I have checked on the remote firewall and am not seeing any connection attempts.<br /><br />Please advise.<br /><br />Regards,<br /><br />Abid GhufranAbysshttps://www.blogger.com/profile/04465805001701525380noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-46740488714745265782016-04-07T18:08:21.056-03:002016-04-07T18:08:21.056-03:00In your case, you will need to use standard policy...In your case, you will need to use standard policy based VPN or replace the ASA with a device that supports route-based (e.g. IOS router).Renato Moraishttps://www.blogger.com/profile/04653987274197780429noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-1133040607887311622016-04-07T17:47:56.538-03:002016-04-07T17:47:56.538-03:00I have the same problem
I am connected directly to...I have the same problem<br />I am connected directly to my ISP and only have a limited number of IP addresses (Less than the number of remote sites)<br />Is there any other way than to have one IP per remote site?Anonymoushttps://www.blogger.com/profile/12759810285049077740noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-41164667069422393822015-11-24T16:22:18.706-02:002015-11-24T16:22:18.706-02:00You don't need a router if you have an etherne...You don't need a router if you have an ethernet link with the ISP. Can't you split the range into small subnets?Renato Moraishttps://www.blogger.com/profile/04653987274197780429noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-30833626146649290652015-11-18T14:14:00.984-02:002015-11-18T14:14:00.984-02:00Is it possible to achieve this without a router si...Is it possible to achieve this without a router sitting between your ASA and the internet? I have my ISP plugged directly into my ASA. The problem with this method is that the entire IP subnet block from my ISP must be assigned to my outside interface, so I can't pick out one public IP for another interface since it overlaps. I would REALLY love to make this work so that I can connect to an Azure dynamic gateway using my ASA.Ddoghttps://www.blogger.com/profile/15187313693165600688noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-71879701777114628582014-06-04T18:38:05.701-03:002014-06-04T18:38:05.701-03:00That's rightThat's rightRenato Moraishttps://www.blogger.com/profile/04653987274197780429noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-83244731949136185982014-06-03T15:07:23.937-03:002014-06-03T15:07:23.937-03:00I was just looking at this as an option for connec...I was just looking at this as an option for connecting to a VPN. Looking at your config, my ISP would have to allow me to have to different subnets and 2 different VLANs to make this work, correct?Anonymoushttps://www.blogger.com/profile/00802816593779495598noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-3445686930381284022014-03-07T16:08:30.232-03:002014-03-07T16:08:30.232-03:00Yes. Using VTI on the router side.Yes. Using VTI on the router side.Renato Moraishttps://www.blogger.com/profile/04653987274197780429noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-27252679402181164112014-03-07T10:23:57.810-03:002014-03-07T10:23:57.810-03:00Can we do this if we want to have route based VPN ...Can we do this if we want to have route based VPN between Cisco ASA and Cisco 2921 Router ?Anonymoushttps://www.blogger.com/profile/07961074886716962201noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-73676448115603586102013-12-12T22:12:05.012-02:002013-12-12T22:12:05.012-02:00If you enable the crypto map on more than one inte...If you enable the crypto map on more than one interface, the ASA will use the routing table to find the best path to the remote peer and establish the tunnel.Renato Moraishttps://www.blogger.com/profile/04653987274197780429noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-25763663390438840392013-12-12T22:07:17.612-02:002013-12-12T22:07:17.612-02:00An advantage of VTI is that the output interface t...An advantage of VTI is that the output interface that is used can be made independent of the virtual interface. This allows routing to select the appropriate interface to get to the tunnel destination (ie selecting between a WAN and internet interface). Is there a means of achieving this with your technique?generic blogger namehttps://www.blogger.com/profile/14179028703712062203noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-62643301557940521862013-09-10T13:10:54.184-03:002013-09-10T13:10:54.184-03:00thanks again. it was a route on my end. The only o...thanks again. it was a route on my end. The only odd thing I noticed about doing it this way is, I can't ping the "vpn" interface gateway or the actual remote peer external IP. I'm assuming this is because of the 0.0.0.0/0 crypto acl.<br /><br />otherwise I can ping through the tunnel just fine.Video Game Junkiehttps://www.blogger.com/profile/04048908483605973518noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-16186352887132437772013-09-09T17:52:05.216-03:002013-09-09T17:52:05.216-03:00I think I see .. I have the vpn 192.168.100.2 goin...I think I see .. I have the vpn 192.168.100.2 going to the outside gw instead of the "vpn" gw.. Sorry to bother you! I'm going to assume that's it. Sometimes it's the simple things.Video Game Junkiehttps://www.blogger.com/profile/04048908483605973518noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-82251115399125299422013-09-09T17:27:43.804-03:002013-09-09T17:27:43.804-03:00interface Ethernet0/0.100
vlan 100
nameif outsid...interface Ethernet0/0.100<br /> vlan 100<br /> nameif outside<br /> security-level 0<br /> ip address 192.168.200.2 255.255.255.252 <br />!<br />interface Ethernet0/0.200<br /> vlan 200<br /> nameif vpn<br /> security-level 0<br /> ip address 192.168.255.2 255.255.255.252 <br /><br />crypto ipsec transform-set TEST esp-3des esp-md5-hmac <br />crypto map VPN 1 match address enc-domain<br />crypto map VPN 1 set peer 192.168.100.2 <br />crypto map VPN 1 set transform-set TEST<br />crypto map VPN interface vpn<br />crypto isakmp enable vpn<br /><br />tunnel-group 192.168.100.2 type ipsec-l2l<br />tunnel-group 192.168.100.2 ipsec-attributes<br /> pre-shared-key *<br /><br />route outside 0.0.0.0 0.0.0.0 192.168.200.1 1<br />route vpn 192.168.1.0 255.255.255.0 192.168.100.2 1<br />route vpn 192.168.100.2 255.255.255.255 192.168.200.1 1<br /><br />Video Game Junkiehttps://www.blogger.com/profile/04048908483605973518noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-46802952614608523662013-09-09T17:23:53.203-03:002013-09-09T17:23:53.203-03:00Make sure you have the crypto map bound to the ...Make sure you have the crypto map bound to the 'vpn' interface. Show me your config if the crypto map is correctly applied.Renato Moraishttps://www.blogger.com/profile/04653987274197780429noreply@blogger.comtag:blogger.com,1999:blog-8835703246872043895.post-32739969764692734952013-09-09T17:09:48.106-03:002013-09-09T17:09:48.106-03:00It looks like it's trying to build the request...It looks like it's trying to build the request to the outside interface and not the vpn interface.. any ideas?<br /><br />Sep 09 2013 16:38:08: %ASA-7-710005: UDP request discarded from 192.168.100.2/500 to outside:192.168.255.2/500<br /><br /><br />Video Game Junkiehttps://www.blogger.com/profile/04048908483605973518noreply@blogger.com