pix501 to asa5505 tunnel works but no traffic 1

[jweppie]

Hi guru's

Been puzzling for a few days now, time to call in some support.

I've got the following network layout and want full traffic between internal LANS

192.168.50.0/24-pix501-xxx.xxx.9.85/20(dhcp) <- internet -> xxx.xxx.195.75-asa5505-10.32.10/24

my pix config :
#######################################################
<snip>
access-list inside_outbound_nat0_acl permit ip 192.168.50.0 255.255.255.0 10.32.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.50.0 255.255.255.0 10.32.1.0 255.255.255.0
access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 any
<snip>
ip address outside dhcp setroute
ip address inside 192.168.50.1 255.255.255.0
<snip>
global (outside) 1 interface
global (inside) 10 interface
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer xxx.xxx.195.75
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.195.75 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp log 50
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

sh route
outside 0.0.0.0 0.0.0.0 xxx.xxx.8.1 1 DHCP static
outside xxx.xxx.8.0 255.255.248.0 xxx.xxx.9.85 1 CONNECT static
inside 192.168.50.0 255.255.255.0 192.168.50.1 1 CONNECT static

sh nat
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.50.0 255.255.255.0 0 0
##########################################################

my ASA config:
##########################################################
name 10.32.1.0 live_lan description live lan
name 192.168.50.0 jaap_lan description LAN Jaap thuis
name xxx.xxx.9.85 pix_jaap description pix Jaap thuis
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.195.75 255.255.255.192
ospf cost 10
!
interface Vlan3
nameif live
security-level 0
ip address 10.32.1.75 255.255.255.0
ospf cost 10

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
<snip>
same-security-traffic permit intra-interface
access-list outside_20_cryptomap extended permit ip live_lan 255.255.255.0 jaap_lan 255.255.255.0
access-list live_nat0_outbound extended permit ip live_lan 255.255.255.0 jaap_lan 255.255.255.0
<snip>
global (outside) 1 interface
nat (live) 0 access-list live_nat0_outbound
route outside 0.0.0.0 0.0.0.0 xxx.xxx.195.75 1
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth enable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions none
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
ip-comp disable
re-xauth enable
group-lock value xxx.xxx.9.85
pfs enable
split-tunnel-network-list none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
address-pools none
client-access-rule none
vpn-nac-exempt none
aaa authentication ssh console LOCAL
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer pix_jaap
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group xxx.xxx.9.85 type ipsec-l2l
tunnel-group xxx.xxx.9.85 ipsec-attributes
pre-shared-key *
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
###########################################################
sh route

Gateway of last resort is xxx.xxx.195.75 to network 0.0.0.0

C xxx.xxx.195.64 255.255.255.192 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C live_lan 255.255.255.0 is directly connected, live
S* 0.0.0.0 0.0.0.0 [1/0] via xxx.xxx.195.75, outside

sh nat
NAT policies on Interface live:
match ip live live_lan 255.255.255.0 outside jaap_lan 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 6
match ip live live_lan 255.255.255.0 live jaap_lan 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0


So the tunnel comes up, but it seems like no traffic returns from the ASA to the pix.

(RX but no TX, decrypt but no encrypt)

This is a test setup so I can change stuff around freely.
help is appreciated

 

[unclerico]

what about logs from the PIX?? anything in there??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jweppie]

I don't know how valuable this info is, but did debug icmp and packets :

jaappix501(config)# debug packet inside src 192.168.50.4 dst 10.32.1.75 proto $
jaappix501(config)# 11: ICMP echo-request from inside:192.168.50.4 to 10.32.1.75 ID=1024 seq=4101 length=40
--------- PACKET ---------

-- IP --
192.168.50.4 ==> 10.32.1.75

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c
id = 0x94a9 flags = 0x0 frag off=0x0
ttl = 0x80 proto=0x1 chksum = 0xa800

-- ICMP --
type = 0x8 code = 0x0 checksum=0x3957
identifier = 0x400 seq = 0x1005
-- DATA --
00000010: 61 62 63 64 | abcd
00000020: 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 | efghijklmnopqrst
00000030: 75 76 77 61 62 63 64 65 66 67 68 69 ff | uvwabcdefghi.

--------- END OF PACKET ---------

 

[unclerico]

the ICMP packet looks perfectly normal.

since you don't have your whole config for the PIX listed, do you have the command sysopt connection permit-ipsec in your config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jweppie]

On the ASA did a :

ping live 192.168.50.4

6 Jun 09 2009 11:23:41 110001 No route to 192.168.50.4 from 10.32.1.75

I think this is the main problem

I do have this route (as per your instructions) :
S jaap_lan 255.255.255.0 [1/0] via xxx.xxx.195.75, outside

 

[jweppie]

Yes that options is there

sh sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt uauth allow-http-cache
sysopt connection permit-ipsec
no sysopt connection permit-pptp
no sysopt connection permit-l2tp
no sysopt ipsec pl-compatible

 

[unclerico]

man, you should be golden. can you post back with complete configs of both devices (scrubbed obviously)??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jweppie]

will do so in about 3 hours from now. In the meantime I've copied a tunnelconfig from a customer (who has an asa5520) and will check all settings with my running conf.

 

[jweppie]

OK so here's an update : In a desparate moment of "I don't know what else to do" I've changed the outside IP's of both the PIX (by resetting the cablemodem) and the ASA (manually)

Also, I've updated the ASA's IOS and ASDM.
Here are both complete configs (wr t) public ip's obscured.

The tunnel comes up, but I'm still unable to ping between the tunnel.

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted
hostname jaappix501
domain-name somedomain.not
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 192.168.50.0 255.255.255.0 10.32.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.50.0 255.255.255.0 10.32.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.32.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list acl_inbound permit ip 10.32.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 any
pager lines 24
logging on
logging monitor debugging
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.50.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.32.1.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.50.0 255.255.255.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 145.7.191.18 source outside prefer
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer xxx.xxx.195.122
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.195.122 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp log 50
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 192.168.50.2-192.168.50.10 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username jaap password 5iK83KIbWB7o7sSz encrypted privilege 15
terminal width 80
Cryptochecksum:240387fc9d2ad88b6eb11b4df9ff91ff
: end
[OK]

jaappix501# sh route
outside 0.0.0.0 0.0.0.0 yyy.yyy.212.1 1 DHCP static
outside yyy.yyy.212.0 255.255.252.0 yyy.yyy.213.177 1 CONNECT static
inside 192.168.50.0 255.255.255.0 192.168.50.1 1 CONNECT static

outside routes are created automatically by DHCP

#############################################################

ASA Version 8.0(3)
!
hostname flw04
domain-name orwell.nl
enable password xbyvjyEL6B0NGExu encrypted
names
name 10.32.1.0 live_lan description live lan
name 10.32.2.0 control_lan description control lan
name 10.32.5.0 dmz_in_lan description dmz-in lan
name 10.32.4.0 dmz_out_lan description dmz-out lan
name 192.168.50.0 jaap_lan description LAN Jaap thuis
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.195.122 255.255.255.192
ospf cost 10
!
interface Vlan3
nameif live
security-level 0
ip address 10.32.1.75 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name orwell.nl
access-list outside_cryptomap_1 extended permit ip live_lan 255.255.255.0 jaap_lan 255.255.255.0
access-list live_nat0_outbound extended permit ip live_lan 255.255.255.0 jaap_lan 255.255.255.0
access-list outside_nat0_outbound extended permit ip jaap_lan 255.255.255.0 live_lan 255.255.255.0
access-list outside_access_in extended permit tcp jaap_lan 255.255.255.0 live_lan 255.255.255.0
access-list live_access_in extended permit tcp live_lan 255.255.255.0 jaap_lan 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu live 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (live) 0 access-list live_nat0_outbound
access-group outside_access_in in interface outside
access-group live_access_in in interface live
route outside 0.0.0.0 0.0.0.0 xxx.xxx.195.65 1
route outside jaap_lan 255.255.255.0 xxx.xxx.195.122 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
http server enable
http yyy.yyy.213.177 255.255.255.255 outside
http 94.211.9.85 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 live
http live_lan 255.255.255.0 live
http jaap_lan 255.255.255.0 live
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no service resetoutbound interface outside
no service resetoutbound interface live
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec fragmentation after-encryption outside
crypto ipsec fragmentation after-encryption live
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer yyy.yyy.213.177
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable live
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh yyy.yyy.213.177 255.255.255.255 outside
ssh live_lan 255.255.255.0 live
ssh timeout 20
ssh version 2
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
group-policy DfltGrpPolicy attributes
vpn-filter value outside_nat0_outbound
vpn-tunnel-protocol IPSec
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization
username jaap password 5iK83KIbWB7o7sSz encrypted
tunnel-group yyy.yyy.213.177 type ipsec-l2l
tunnel-group yyy.yyy.213.177 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1c2ad313d1bb56597c075b7f5ea6ce1a
: end
[OK]
flw04(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is xxx.xxx.195.65 to network 0.0.0.0

C xxx.xxx.195.64 255.255.255.192 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C live_lan 255.255.255.0 is directly connected, live
S jaap_lan 255.255.255.0 [1/0] via xxx.xxx.195.122, outside
S* 0.0.0.0 0.0.0.0 [1/0] via xxx.xxx.195.65, outside

 

[unclerico]

try removing this:

access-group live_access_in in interface live

it is only allowing TCP access from your live LAN to your jaap LAN. Have you tried accessing TCP based resources on the Live LAN from your Jaap LAN?? ICMP Echo/Traceroute traffic will be denied both inbound from the Live LAN and ICMP Echo Replies will be denied from the Live LAN to the jaap LAN.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jweppie]

unclerico you're the man !

I've removed the access-group.

TCP access (tried SSH) is allowed indeed (if proper route is set on end device). Ping is not.

Now, how do I allow all traffic from jaap_lan to live_lan and vise versa ?

 

[unclerico]

if you want to allow all traffic from both sides, then remove any inbound ACL's on the inside interfaces of each device. if you do this then there should be nothing blocking return traffic.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jweppie]

Thanks again for putting me on the right track.
According to Cisco inbound ICMP is not allowed by default.

http://www.cisco.com/en/US/products...oducts_tech_note09186a0080094e8a.shtml#topic2

I should be able to manage from here...