cisco ASA5505 with dual ISP + IPSEC

Discussion in 'Cisco' started by eldo, Sep 21, 2011.

  1. eldo

    eldo

    Joined:
    Sep 21, 2011
    Messages:
    4
    Likes Received:
    0
    Hello guys,

    I have problem with dual ISP + IPSEC on my cisco ASA5505 sec plus licence.
    Routing is working correct (connect to Internet from siteA is working trought
    1st also second ISP) but IPSEC is working just trought the first
    ISP! It seemt that phase 1 and 2 of IPSEC is correct but packets
    are just encrypting but not decrypting. Do you have any idea what is wrong?

    I'm trying ping from siteA (PC - 10.4.1.66) to siteB (PC - 10.3.128.50)


    Thanks

    config site A:
    ##########################################################################

    ASA5505 Version 8.2(1)

    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.4.1.65 255.255.255.248
    !
    interface Vlan2
    nameif primaryISP (NAT1:1 212.89.229.xz)
    security-level 0
    ip address 192.168.1.2 255.255.255.0
    !
    interface Vlan3
    nameif backupISP
    security-level 0
    ip address 212.89.235.yy 255.255.255.248

    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    switchport access vlan 3

    access-list outside_cryptomap extended permit icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0

    access-list nonat extended permit ip 10.4.1.64 255.255.255.248 10.3.0.0 255.255.0.0
    access-list nonat extended permit ip 10.4.1.64 255.255.255.248 10.16.0.0 255.255.0.0

    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu internet 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400

    global (outside) 1 interface
    global (internet) 1 interface

    nat (inside) 0 access-list nonat
    nat (inside) 1 10.4.1.64 255.255.255.248

    route primaryISP 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1
    route backupISP 0.0.0.0 0.0.0.0 212.89.235.yy 254

    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sla monitor 123
    type echo protocol ipIcmpEcho 212.89.229.xx interface primaryISP
    num-packets 3
    frequency 10
    sla monitor schedule 123 life forever start-time now

    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

    crypto ipsec security-association lifetime seconds 3600
    crypto ipsec security-association lifetime kilobytes 4608000

    crypto map outside_map0 1 match address outside_cryptomap
    crypto map outside_map0 1 set peer 212.89.229.xx
    crypto map outside_map0 1 set transform-set ESP-AES-256-SHA
    crypto map outside_map0 1 set security-association lifetime seconds 28800
    crypto map outside_map0 1 set security-association lifetime kilobytes 4608000
    crypto map outside_map0 2 match address outside_cryptomap_1

    crypto map outside_map0 interface primaryISP
    crypto map outside_map0 interface backupISP

    crypto isakmp identity hostname
    crypto isakmp enable primaryISP
    crypto isakmp enable backupISP

    crypto isakmp policy 3
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 300
    !
    track 1 rtr 123 reachability
    telnet 10.4.1.64 255.255.255.248 inside
    telnet timeout 1440
    ssh 10.4.1.64 255.255.255.248 inside
    ssh 212.89.229.xx 255.255.255.255 outside
    ssh timeout 60
    ssh version 2
    console timeout 0

    management-access inside

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 194.160.23.2 source primaryISP
    webvpn

    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec

    tunnel-group 212.89.229.xx type ipsec-l2l
    tunnel-group 212.89.229.xx ipsec-attributes
    pre-shared-key *




    siteA# sh crypto isakmp sa d

    Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1

    1 IKE Peer: 212.89.229.xx
    Type : L2L Role : initiator
    Rekey : no State : MM_ACTIVE
    Encrypt : aes-256 Hash : SHA
    Auth : preshared Lifetime: 300
    Lifetime Remaining: 91





    siteA# sh crypto ipsec sa
    interface: internet
    Crypto map tag: outside_map0, seq num: 1, local addr: 212.89.235.yy

    access-list outside_cryptomap permit icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0
    local ident (addr/mask/prot/port): (10.4.1.64/255.255.255.248/1/0)
    remote ident (addr/mask/prot/port): (10.3.128.0/255.255.255.0/1/0)
    current_peer: 212.89.229.xx

    #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: 212.89.235.yy, remote crypto endpt.: 212.89.229.xx

    path mtu 1500, ipsec overhead 74, media mtu 1500
    current outbound spi: 2A9B550B

    inbound esp sas:
    spi: 0xCF456F65 (3477434213)
    transform: esp-aes-256 esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, }
    slot: 0, conn_id: 32768, crypto-map: outside_map0
    sa timing: remaining key lifetime (kB/sec): (4374000/28629)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001
    outbound esp sas:
    spi: 0x2A9B550B (714822923)
    transform: esp-aes-256 esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, }
    slot: 0, conn_id: 32768, crypto-map: outside_map0
    sa timing: remaining key lifetime (kB/sec): (4373999/28629)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001



    siteA# sh logging asdm | i 10.3.128.50
    6|Sep 19 2011 10:27:37|302020: Built outbound ICMP connection for faddr 10.3.128.50/0 gaddr 10.4.1.66/1024 laddr 10.4.1.66/1024
    6|Sep 19 2011 10:27:39|302021: Teardown ICMP connection for faddr 10.3.128.50/0 gaddr 10.4.1.66/1024 laddr 10.4.1.66/1024







    config site B:
    ##########################################################################

    ASA 5510 Version 8.0(4)

    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 212.89.229.xx 255.255.255.240
    ospf cost 10

    interface Ethernet0/1.10
    vlan 10
    nameif users
    security-level 50
    ip address 10.3.128.0 255.255.255.0


    access-list siteA extended permit ip 10.3.128.0 255.255.255.0 10.4.1.64 255.255.255.248

    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto ipsec security-association lifetime kilobytes 4608000


    crypto map outside_map 9 match address SiteA
    crypto map outside_map 9 set peer 212.89.229.xz
    crypto map outside_map 9 set transform-set ESP-AES-256-SHA
    crypto map outside_map 9 set security-association lifetime seconds 28800
    crypto map outside_map 9 set security-association lifetime kilobytes 4608000


    crypto map outside_map 10 match address SiteA
    crypto map outside_map 10 set peer 212.89.235.yy
    crypto map outside_map 10 set transform-set ESP-AES-256-SHA
    crypto map outside_map 10 set security-association lifetime seconds 28800
    crypto map outside_map 10 set security-association lifetime kilobytes 4608000

    crypto map outside_map interface outside

    crypto isakmp policy 20
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400


    tunnel-group 212.89.229.xz type ipsec-l2l
    tunnel-group 212.89.229.xx ipsec-attributes
    pre-shared-key *


    tunnel-group 212.89.235.yy type ipsec-l2l
    tunnel-group 212.89.235.yy ipsec-attributes
    pre-shared-key *



    SiteB# sh crypto isakmp sa d

    Active SA: 7
    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 8

    8 IKE Peer: 212.89.235.yy
    Type : L2L Role : initiator
    Rekey : no State : MM_ACTIVE
    Encrypt : aes-256 Hash : SHA
    Auth : preshared Lifetime: 300
    Lifetime Remaining: 245


    SiteB# sh crypto ipsec sa | b 212.89.235.yy

    current_peer: 212.89.235.yy

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: 212.89.229.xz, remote crypto endpt.: 212.89.235.yy

    path mtu 1500, ipsec overhead 74, media mtu 1500
    current outbound spi: CF456F65

    inbound esp sas:
    spi: 0x2A9B550B (714822923)
    transform: esp-aes-256 esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, }
    slot: 0, conn_id: 4378624, crypto-map: outside_map
    sa timing: remaining key lifetime (kB/sec): (3914999/27310)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00001FFF
    outbound esp sas:
    spi: 0xCF456F65 (3477434213)
    transform: esp-aes-256 esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, }
    slot: 0, conn_id: 4378624, crypto-map: outside_map
    sa timing: remaining key lifetime (kB/sec): (3915000/27308)
    IV size: 16 bytes
    replay detection support: Y



    siteB# sh logging asdm | i 10.4.1.66
    6|Sep 19 2011 10:29:49|302021: Teardown ICMP connection for faddr 10.4.1.66/1024 gaddr 10.3.128.50/0 laddr 10.3.128.50/0
    6|Sep 19 2011 10:29:50|302020: Built inbound ICMP connection for faddr 10.4.1.66/1024 gaddr 10.3.128.50/0 laddr 10.3.128.50/0
     

    Attached Files:

    Last edited: Sep 21, 2011
    eldo, Sep 21, 2011
    #1

    1. Advertisements

  2. eldo

    eldo

    Joined:
    Sep 21, 2011
    Messages:
    4
    Likes Received:
    0
    Solution from:
    https://supportforums.cisco.com/thread/2105304

    The crypto maps are sequential, that means as you have the same ACL on both entry, the
    traffic will match every time seq #9 and be directed to the peer defined in this sequence.
    If you want to do active/Standby IPSEC tunnels between your two ISPs, you can use multiple peers, like:

    crypto map outside_map 9 match address SiteA
    crypto map outside_map 9 set peer 212.89.229.xx 212.89.235.yy
    crypto map outside_map 9 set transform-set ESP-AES-256-SHA
    crypto map outside_map 9 set security-association lifetime seconds 28800
    crypto map outside_map 9 set security-association lifetime kilobytes 4608000

    If you want to load balance between your two ISPs, you will need to have different ACLs, like
    sequence 9 is for traffic directed to remote network 1, and sequence 10 for remote network 2, but
    in that case, if remote peer is down, half of the traffic will be down.
     
    eldo, Sep 21, 2011
    #2

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. 4506 acting as LNS with L2TP over IPsec and IPsec over L2TP.

  2. 4506 acting as LNS with L2TP over IPsec and IPsec over L2TP.

  3. NetGear SPH200D dual Dual-mode, Cordless Phone vs Dualphone 3088 dual mode cordless phone

  4. SSH Cisco ASA5505

  5. IPSec over NAT-T on Cisco ASA5505 mysteriously stops working

  6. Cisco ASA5505 image won't load...!

  7. cisco ASA5505 sla monitoring

  8. Memory Upgrade for Cisco ASA5505

Loading...