All About Static IPSec L2L and ASP Table - ASA 9.X - ASApedia

3/23/2020 All About Static IPSec L2L and ASP Table - ASA 9.
X - ASApedia
All About Static IPSec L2L and ASP Table - ASA 9.X
From ASApedia
(Redirected from All About Static IPSec L2L and ASP Table)
This article contains outdated information
Last updated on 2016-09-10 21:31:44 UTC by David Silverman

This page will use a basic static L2L configuration to describe what happens with the ASA.
This page is based on ASA version 9.X and later.
Refer to ["http://asapedia.cisco.com/index.php/All_About_Static_IPSec_L2L_and_ASP_Table_-_ASA_8.0.4"] for

8.0.4 and earlier.
Network Diagram:
95.1.224.0/19 85.1.224.0/19 --X-- 75.1.224.0/19 65.1.224.0/19

(TDG=.224.1) (DG=.224.1) (DG=.224.1) (TDG=.224.1)
| | | |
|-- .226.1 [ASA-1] .226.1 --| |-- .250.1 [ASA-2] .250.1 --|
| | | |
DG - Default Gateway
TDG - Tunnel Default Gateway
Contents
1 Configuring Static L2L to ASA-2
2 A Look at the ASP Table before L2L is Established
3 What Occurred to Bring Up the Tunnel on Data
4 What About VPN Filters
5 Troubleshooting Why a L2L is not Establishing on Data
Configuring Static L2L to ASA-2

Create IKEv1 Phase 1 Policy
crypto ikev1 policy 10

authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
Create Tunnel-Group
asapedia/index.php/All_About_Static_IPSec_L2L_and_ASP_Table 1/7
3/23/2020 All About Static IPSec L2L and ASP Table - ASA 9.X - ASApedia
tunnel-group 75.1.250.1 type ipsec-l2l

tunnel-group 75.1.250.1 ipsec-attributes
ikev1 pre-shared-key password
Config object-groups for each side
object-group network ASA-1

network-object host 85.1.226.1
network-object 95.1.224.0 255.255.224.0
object-group network ASA-2
network-object host 75.1.250.1
network-object 65.1.224.0 255.255.224.0
Create Access-List (local to remote)
access-list ASA1toASA2 extended permit ip object-group ASA-1 object-group ASA-2
Create Phase 2 Transform Set
crypto ipsec ikev1 transform-set AES-SHA esp-aes esp-sha-hmac
Create Phase 2 Crypto Map
crypto map outside_map 10 match address ASA1toASA2

crypto map outside_map 10 set peer 75.1.250.1
crypto map outside_map 10 set ikev1 transform-set AES-SHA
Attach Phase 2 Crypto Map to Outside Interface
crypto map outside_map interface outside
Enable IKEv1 on Outside Interface
crypto ikev1 enable outside
A Look at the ASP Table before L2L is Established

Let's look at the Crypto data in the ASP table while L2L is down.
ASA# show asp table classify crypto
Input Table
in id=0xaef866f0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=0, user_data=0x0, cs_id=0xad408d48, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
in id=0xaef86cc8, priority=70, domain=ipsec-tunnel-flow, deny=false
in id=0xaef86db0, priority=70, domain=ipsec-tunnel-flow, deny=false
in id=0xaef86e98, priority=70, domain=ipsec-tunnel-flow, deny=false
in id=0xae7dd1f0, priority=13, domain=decrypt, deny=true
hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=50
in id=0xae7dd678, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
in id=0xaef86840, priority=70, domain=ipsec-tunnel-flow, deny=false
src ip/id=::/128, port=0, tag=0
dst ip/id=::/128, port=0, tag=0
in id=0xae7de2e0, priority=13, domain=decrypt, deny=true
dst ip/id=fe80::218:73ff:fe17:c69a/128, port=0, tag=0
in id=0xae7de820, priority=13, domain=decrypt, deny=true
dst ip/id=fd85:5000:3000:2207:85:1:226:1/128, port=0, tag=0
in id=0xae7ded60, priority=13, domain=ipsec-tunnel-flow, deny=true
Output Table:
out id=0xadd400f8, priority=70, domain=encrypt, deny=false
input_ifc=any, output_ifc=outside
out id=0xaef86928, priority=70, domain=encrypt, deny=false
out id=0xaef86a10, priority=70, domain=encrypt, deny=false
out id=0xaef86af8, priority=70, domain=encrypt, deny=false
out id=0xaef86be0, priority=70, domain=encrypt, deny=false
L2 - Output Table:
L2 - Input Table:
Last clearing of hits counters: Never
The above output shows four "cascade delimiter" rules (IPv4/IPv6 and ipsec-tunnel-flow/encrypt domains), four
static ACE ipsec-tunnel-flow rules (one for each ACL entry), and four static ACE encrypt rules (one for each ACL
entry). The "cascade delimiter" encrypt rule is used to define the beginning of a set of static encrypt rules
associated with a crypto map entry. All entries will have the same cascade identifier (cs_id). The cs_id value
contains the address of the crypto map entry to guarantee uniqueness. The user_data field contains the
VPN_CONTEXT ID. The VPN_CONTEXT will contain the crypto information associated to an inbound or
outbound IPsec SA.
All the static rules have a user_data field of NULL indicating that they do not have a VPN_CONTEXT associated
to them.
Let's look at the Crypto data in the ASP table after pinging 65.1.224.10 from 95.1.224.10 (PC on inside of ASA1).
ASA# show asp table classify interface outside domain permit
Interface outside:
<snip>
in id=0x4059ee0, priority=70, domain=permit, deny=false
hits=0, user_data=0x8eec, cs_id=0x0, reverse, flags=0x0, protocol=50
src ip=75.1.250.1, mask=255.255.255.255, tag=any
dst ip=85.1.226.1, mask=255.255.255.255, SPI=0xE7A3223. tag=any, dscp=0x0
<snip>
out id=0x3a16a10, priority=70, domain=permit, deny=false
hits=0, user_data=0x612c, cs_id=0x0, reverse, flags=0x0, protocol=50
src ip=85.1.226.1, mask=255.255.255.255, tag=any
dst ip=75.1.250.1, mask=255.255.255.255, SPI=0x2AD5F4C2, tag=any, dscp=0x0
<snip>
ASA# show asp table classify crypto
Input Table
in id=0xae505750, priority=70, domain=decrypt, deny=false
src ip/id=75.1.227.1, mask=255.255.255.255, tag=any
dst ip/id=85.1.225.1, mask=255.255.255.255, SPI=0xE7A3223, tag=any, dscp=0x0
in id=0xaef86cc8, priority=70, domain=ipsec-tunnel-flow, deny=false
in id=0xaef86db0, priority=70, domain=ipsec-tunnel-flow, deny=false
in id=0xaef86e98, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=1, user_data=0x8eec, cs_id=0xad408d48, reverse, flags=0x0, protocol=0
in id=0xae7dd1f0, priority=13, domain=decrypt, deny=true
in id=0xae7dd678, priority=13, domain=ipsec-tunnel-flow, deny=true
in id=0xaef86840, priority=70, domain=ipsec-tunnel-flow, deny=false
in id=0xae7de2e0, priority=13, domain=decrypt, deny=true
dst ip/id=fe80::218:73ff:fe17:c69a/128, port=0, tag=0
in id=0xae7de820, priority=13, domain=decrypt, deny=true
dst ip/id=fd85:5000:3000:2207:85:1:226:1/128, port=0, tag=0
in id=0xae7ded60, priority=13, domain=ipsec-tunnel-flow, deny=true
Output Table:
out id=0xadd400f8, priority=70, domain=encrypt, deny=false
out id=0xaef86a10, priority=70, domain=encrypt, deny=false
out id=0xaef86af8, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x612c, cs_id=0xad408d48, reverse, flags=0x0, protocol=0
L2 - Output Table:
L2 - Input Table:
Last clearing of hits counters: Never
What Occurred to Bring Up the Tunnel on Data

1. The ICMP packet (95.1.224.10 -> 65.1.224.10) arrives on the inside interface of ASA1.
2. ASA1 performs a flow lookup.
3. It does not find an existing flow so it creates a new flow.
4. Then the ASA performs a route-lookup and routes to outside.
5. Flow classification on outside searches the encrypt rules in order. The first rule matched is id=0xaef86be0.
6. Since this rule does not contain a VPN_CONTEXT (user_data==NULL), the NP copies the packet and
queues it to the IKE_CMN subsystem to establish a Phase 2 tunnel. The NP drops the original packet and
increments "Need to start IKE negotiation (need-ike)" flow drop count.
7. The IKE_CMN subsystem performs a lookup to determine crypto map entry. Based on the crypto map entry,
IKE_CMN will dispatch to the IKEv2 (if configured) then to IKEv1 (if configured, if necessary) subsystems.
8. The IKEv1 subsystem checks for Phase 1 tunnel to peer defined in crypto map entry.
9. If necessary, Phase 1 tunnel will be established.
10. Now Phase 2 tunnel is established.
1. The data packet is compared against the crypto map access-list to determine which entry triggered the
Phase 2.
2. The matching ACL entry defines the QM Identification payloads - source to IDci and destination to
IDcr.
3. When the QM completes, new NP rules are installed: two permit, decrypt, ipsec-tunnel-flow, and
dynamic encrypt rule. The two PERMIT rules that are added to ensure that the tunneled traffic is
allowed into and out of the firewall. The inbound outer PERMIT rule is identical to the DECRYPT
rule, but exists in the PERMIT domain to override any implicit deny rules that may be present. The
outbound outer PERMIT rule is the mirror image of the inbound outer PERMIT rule (with the sources
and destinations reversed) and allows the encrypted traffic out of the system regardless of the implicit
deny rules that may exist on the interface. The decrypt rule is used to identify the encrypted packets
sent from the peer. The ipsec-tunnel-flow rule is used to verify the decrypted packets from the peer
conform to the negotiated tunnel and will perform inbound VPN filtering (if applied). This rule is
inserted immediately before its matching static ipsec-tunnel-flow rule. The dynamic encrypt rule will
perform outbound VPN filtering (if applied) and is used to encrypt subsequent packets from inside
ASA1 to ASA2. This rule is inserted immediately before its matching static encrypt rule. This way this
new rule with a VPN_CONTEXT is hit before the static rule without a VPN_CONTEXT.
NOTE: Hit counts increment on a per flow not on a per packet basis.
What About VPN Filters

Refer to [1] (http://asapedia.cisco.com/index.php/VPN_Filter_Enhancement) .
Troubleshooting Why a L2L is not Establishing on Data

1. Perform capture trace on ingress interface: capture whatsup interface inside trace detail
2. Look for routing decisions and drop location/reason: show capture whatsup trace detail
3. It should be drop at encrypt matching the static encrypt NP rule.
4. Now refer to Debugging_ISAKMP_Problems
(http://asapedia.cisco.com/index.php/Debugging_ISAKMP_Problems) .
Retrieved from "http://asapedia/index.php/All_About_Static_IPSec_L2L_and_ASP_Table_-_ASA_9.X"

Categories: IPSec | Troubleshooting | LAN-to-LAN
This page was last modified on 10 September 2016, at 21:31.

All About Static IPSec L2L and ASP Table - ASA 9.X - ASApedia

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

All About Static IPSec L2L and ASP Table - ASA 9.X - ASApedia

Încărcat de

Drepturi de autor:

Formate disponibile

3/23/2020 All About Static IPSec L2L and ASP Table - ASA 9.

This article contains outdated information

Last updated on 2016-09-10 21:31:44 UTC by David Silverman

This page is based on ASA version 9.X and later.

Refer to ["http://asapedia.cisco.com/index.php/All_About_Static_IPSec_L2L_and_ASP_Table_-_ASA_8.0.4"] for

95.1.224.0/19 85.1.224.0/19 --X-- 75.1.224.0/19 65.1.224.0/19

Configuring Static L2L to ASA-2

crypto ikev1 policy 10

tunnel-group 75.1.250.1 type ipsec-l2l

Config object-groups for each side

object-group network ASA-1

Create Access-List (local to remote)

access-list ASA1toASA2 extended permit ip object-group ASA-1 object-group ASA-2

Create Phase 2 Transform Set

crypto ipsec ikev1 transform-set AES-SHA esp-aes esp-sha-hmac

Create Phase 2 Crypto Map

crypto map outside_map 10 match address ASA1toASA2

Attach Phase 2 Crypto Map to Outside Interface

crypto map outside_map interface outside

Enable IKEv1 on Outside Interface

crypto ikev1 enable outside

A Look at the ASP Table before L2L is Established

ASA# show asp table classify crypto

Last clearing of hits counters: Never

ASA# show asp table classify interface outside domain permit

ASA# show asp table classify crypto

Last clearing of hits counters: Never

What Occurred to Bring Up the Tunnel on Data

What About VPN Filters

Troubleshooting Why a L2L is not Establishing on Data

Retrieved from "http://asapedia/index.php/All_About_Static_IPSec_L2L_and_ASP_Table_-_ASA_9.X"

This page was last modified on 10 September 2016, at 21:31.

S-ar putea să vă placă și