Cisco ASA Site-to-Site IKEv1 IPsec VPN

Hi Rene,

I tried to setup similar tunnel config in my VIRL LAB. However couldn’t able to bring my tunnel up. I am attaching my virl LAB. Would appreciate if you can check what am missing in my setup.

Regards,
Iqbal

Here is the attahced VIRL

Topology

19 posts were merged into an existing topic: Cisco ASA Site-to-Site IKEv1 IPsec VPN

Strange my attachment is not uploaded.

Hi Rene,

I modified the network in your example with a few more nodes on each site. The network diagram is attached.

The IPSec tunnel is up. Ping from end node 1 to end node 2 is working.
Ping and wget from End Node 1 to Web Server 1 is working and from End Node 2 to Web Server 2 is also working.

However, the ping/wget from End node in one site to the web server on the other site is not working in either direction. When checked with ASA logs, the tunnel is set up and the ping is getting delivered to the web server, but the web server is not responding to the ping request.

Can you please help me find out the issue?

Hmm if you can ping from end node 1 to end node 2 then your IPsec tunnel is up and running. If you are able to ping within the local subnet then at least you know your IP addresses are configured correctly. Couple of things to check/try here:

  1. Do your webservers have a correct default gateway? Maybe they don’t know how to get outside of their own subnet.

  2. The ACL that you use for your IPsec tunnel. Does it permit all traffic between 192.168.1.0/24 and 192.168.2.0/24? Make sure it matches the traffic that you want to get through the tunnel.

Rene

19 posts were merged into an existing topic: Cisco ASA Site-to-Site IKEv1 IPsec VPN

Hi Rene,

I have a question regarding IPSEC VPN.
If there are many crypto isakmp policy configured on the ASA, how do you know which crypto isakmp policy is being used by the IPSEC VPN tunnel?

Kartika

Hello Kartika

The command show crypto isa sa detail will show you the values for the encryption hash and so on, however it does not give you the number of the policy in use. Looking at the hash you can then determine the policy, however a more elegant way would be to initiate a debug crypto isakmp and bring the tunnel down and back up again and follow the phase one negotiation messages. The debug messages will show the router going through each individual policy until it finds a match and you can determine which policy was matched.

I hope this has been helpful!

Laz

Hello Rene,

In case if you configure an ACL at Inside interface (IN) to allow the access from inside to outside, do we need to create an ACL at Inside interface for each new Tunnel to allow the traffic between encryption domain.

thanks

Hello Durga

I’m not quite sure I fully understand your query, however, I will answer and if you need clarification, you can let us know.

In the lab, the access list access-list LAN1_LAN2 was specified in order to indicate the subnets of the internal networks on each end of the VPN. This access list was then used in the crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2 command to indicate that these are the subnets that will be sent over this specific VLAN.

Now if you have additional tunnels to create on one of the devices, then you will require a new access list that defines the subnets that will be participating in that tunnel. For each tunnel, a different ACL must be configured along with all its crypto and other associated commands.

I hope this has been helpful!

Laz

Hi How can we allow specific traffic on this tunnel, i tried to change the access-list but it didn’t worked for me. I want to allow http on this tunnel and other traffic should be restricted?

Hi Khan,

Assuming the HTTP server is behind ASA1, you can do something like this:

ASA1(config)# access-list LAN1_LAN2 extended permit tcp 192.168.1.0 255.255.255.0 eq http 192.168.2.0 255.255.255.0
ASA2(config)# access-list LAN2_LAN1 extended permit tcp 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 eq http 

Make sure you have the correct source and destination ports. Also, clear the IPSec SA after making changes to your access-list.

Rene

Hi Rene i did the lab site- to site ikev1 IPsec but I had difficulty. My question is tunnel-group type IPSec i did not use a 121 because I couldn’t get it so is that must to use type-121? Thank you very much.

Hi Abdimalik,

The tunnel-group type is “L2L”, not 121 :slight_smile: That should work.

Rene

1 Like

thanks rene it works

I recently deployed a pair of ASA at two different customer sites. Both ASA’s terminate both an MPLS circuit and an iNet circuit. I’m running EIGRP with the MPLS provider on both ASAs, so both sites can route to each other.

The goal is for Site2 to reach Site1 over the MPLS circuit. This works - no problemo

The second goal is for Site 2 to route via L2L VPN tunnel back to Site 1, should the MPLS go down. This is where I’m having an issue.

When I configured a L2L VPN, my NAT exclusion statement at Site 2 is getting hit for some reason when the MPLS is up and I generate traffic FROM site 2 TO site 1. As such, the traffic never goes over the MPLS.

Here’s my config for Site 2 (Site 1 is the same, just with a reversed ACL and NAT statement)

access-list 200 extended permit ip object-group obj-site-2 object-group obj-site-1

nat (inside,outside) 1 source static obj-site-2 obj-site-2 destination static obj-site-1 obj-site-1

crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
 
crypto ikev1 enable outside

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key cisco123
 
crypto map outside_map 20 match address 200
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set ikev1 transform-set ESP-AES-256-SHA

I THOUGHT that the NAT shouldn’t get hit because a route is learned via EIGRP over the MPLS link, which terminates on the ASA). I have a floating static pointing to the outside interface on the ASA at site 2 in case the MPLS goes down.

However I see the NAT getting hit and traffic not flowing over the MPLS from site 2 to site 1. When I remove the NAT, traffic flows over the MPLS as expected.

I feel like this is a simple fix, but I’m missing something terribly obvious that’s causing traffic to get pushed to the outside interface.

Thanks in advance!

Ok, so I figured it out and thought I’d share my solution in case anyone else is having a similar issue with using a L2L VPN exclusively for backup traffic, i.e. not passing traffic so long as the primary MPLS path is available.

I’ll skip to the chase and point out this is what I was missing, which I’ve added in bold below

nat (inside,outside) 1 source static obj-site-2 obj-site-2 destination static obj-site-1 obj-site-1 no-proxy-arp route-lookup

Ok, basically NAT on an ASA influences routing. If you have a NAT statement, as I did above, without the keyword route-lookup then just by the mere existence of that NAT statement, the ASA will match packets against the source and destination portions of the NAT (obj-site-2 and obj-site-1, respectively) and if a match is found, it will route that traffic out the interface specified by the NAT.

In the example above, traffic coming from the networks specified in obj-site-2 and going to the networks specified in obj-site-1 will be routed out the outside interface. If you add the keyword route-lookup, then you tell the ASA to not automatically route out the outside interface and instead look to the route table for the traffic’s next-hop.

There’s one other command needed to make everything work, and that’s a floating static default to the outside interface. If the MPLS went down, then the route to site-1 would disappear. As such, we need this to push traffic out the outside interface, both for iNet destinations and Site-1 (which would then get matched by the crypto map and pushed out the VPN). Incidentally, part of the design was to backhaul iNet traffic over the MPLS, which is why I use a default route here.

ip route 0.0.0.0 0.0.0.0 <iNet_ISP_GW> 250

Below is a sanitized Visio of the design:

Hello,

In the lesson configuring ipsec between two sites with static ip address it does not mention NAT exemption anywhere, shouldn’t it be included? Also, it would be helpful if you can elaborate a bit on NAT-T.
Johnny