Site to SIte VPN through a NAT device

I, i am having some trouble running a site to site vpn between two 3725 routers running c3725-advsecurityk9-mz124-15T1 which i hope i can get some help with, i am probably missing something here. The VPN ran fine when both VPN routers were connected directly to the internet and had public IPs on the WAN interfaces, but i have had to move one of the firewalls inside onto a private IP. The setup is now as below
VPN router A(192.168.248.253)---Company internal network----Fortigate FW-----internet----(217.155.113.179)VPN router B
Now the fortigate FW is doing some address translations
- traffic from 192.168.248.253 to 217.155.113.179 has its source translated to 37.205.62.5
- traffic from 217.155.113.179 to 37.205.62.5 has its destination translated to 192.168.248.253
- The firewall rules allow any traffic between the 2 devices, no port lockdown enabled.
- The 37.205.62.5 address is used by nothing else.
I basically have a GRE tunnel between the two routers and i am trying to encrypt it.
Router A is showing the below
SERVER-RTR#show crypto map
Crypto Map "S2S_VPN" 10 ipsec-isakmp
Peer = 217.155.113.179
Extended IP access list 101
access-list 101 permit gre host 192.168.248.253 host 217.155.113.179
Current peer: 217.155.113.179
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
STRONG,
Interfaces using crypto map S2S_VPN:
FastEthernet0/1
SERVER-RTR#show crypto sessio
Crypto session current status
Interface: FastEthernet0/1
Session status: DOWN
Peer: 217.155.113.179 port 500
IPSEC FLOW: permit 47 host 192.168.248.253 host 217.155.113.179
Active SAs: 0, origin: crypto map
Interface: FastEthernet0/1
Session status: UP-IDLE
Peer: 217.155.113.179 port 4500
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Active
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Inactive
IKE SA: local 192.168.248.253/4500 remote 217.155.113.179/4500 Inactive
Router B is showing the below
BSU-RTR#show crypto map
Crypto Map "S2S_VPN" 10 ipsec-isakmp
Peer = 37.205.62.5
Extended IP access list 101
access-list 101 permit gre host 217.155.113.179 host 37.205.62.5
Current peer: 37.205.62.5
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
STRONG,
Interfaces using crypto map S2S_VPN:
FastEthernet0/1
BSU-RTR#show crypto sess
Crypto session current status
Interface: FastEthernet0/1
Session status: DOWN
Peer: 37.205.62.5 port 500
IPSEC FLOW: permit 47 host 217.155.113.179 host 37.205.62.5
Active SAs: 0, origin: crypto map
Interface: FastEthernet0/1
Session status: UP-IDLE
Peer: 37.205.62.5 port 4500
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Active
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Inactive
IKE SA: local 217.155.113.179/4500 remote 37.205.62.5/4500 Inactive
I can see the counters incrementing over the ACL on both routers so i know GRE traffic is interesting.
Here are some debugs too
Router A
debug crypto isakmp
*Mar 2 23:07:10.898: ISAKMP:(1024):purging node 940426884
*Mar 2 23:07:10.898: ISAKMP:(1024):purging node 1837874301
*Mar 2 23:07:10.898: ISAKMP:(1024):purging node -475409474
*Mar 2 23:07:20.794: ISAKMP (0:0): received packet from 217.155.113.179 dport 500 sport 500 Global (N) NEW SA
*Mar 2 23:07:20.794: ISAKMP: Created a peer struct for 217.155.113.179, peer port 500
*Mar 2 23:07:20.794: ISAKMP: New peer created peer = 0x64960C04 peer_handle = 0x80000F0E
*Mar 2 23:07:20.794: ISAKMP: Locking peer struct 0x64960C04, refcount 1 for crypto_isakmp_process_block
*Mar 2 23:07:20.794: ISAKMP: local port 500, remote port 500
*Mar 2 23:07:20.794: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6464D3F0
*Mar 2 23:07:20.794: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 23:07:20.794: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 2 23:07:20.794: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 2 23:07:20.794: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.794: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v3
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 2 23:07:20.798: ISAKMP:(0):found peer pre-shared key matching 217.155.113.179
*Mar 2 23:07:20.798: ISAKMP:(0): local preshared key found
*Mar 2 23:07:20.798: ISAKMP : Scanning profiles for xauth ...
*Mar 2 23:07:20.798: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Mar 2 23:07:20.798: ISAKMP: encryption DES-CBC
*Mar 2 23:07:20.798: ISAKMP: hash SHA
*Mar 2 23:07:20.798: ISAKMP: default group 1
*Mar 2 23:07:20.798: ISAKMP: auth pre-share
*Mar 2 23:07:20.798: ISAKMP: life type in seconds
*Mar 2 23:07:20.798: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 2 23:07:20.798: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 2 23:07:20.798: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar 2 23:07:20.798: ISAKMP:(0):Acceptable atts:life: 0
*Mar 2 23:07:20.798: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar 2 23:07:20.798: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar 2 23:07:20.798: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar 2 23:07:20.798: ISAKMP:(0)::Started lifetime timer: 86400.
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 2 23:07:20.798: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v3
*Mar 2 23:07:20.798: ISAKMP:(0): processing vendor id payload
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 2 23:07:20.798: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 2 23:07:20.798: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 23:07:20.798: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 2 23:07:20.802: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 2 23:07:20.802: ISAKMP:(0): sending packet to 217.155.113.179 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar 2 23:07:20.802: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.802: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 23:07:20.802: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Mar 2 23:07:20.822: ISAKMP (0:0): received packet from 217.155.113.179 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar 2 23:07:20.822: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 23:07:20.822: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Mar 2 23:07:20.822: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 2 23:07:20.850: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 2 23:07:20.854: ISAKMP:(0):found peer pre-shared key matching 217.155.113.179
*Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
*Mar 2 23:07:20.854: ISAKMP:(1027): vendor ID is Unity
*Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
*Mar 2 23:07:20.854: ISAKMP:(1027): vendor ID is DPD
*Mar 2 23:07:20.854: ISAKMP:(1027): processing vendor id payload
*Mar 2 23:07:20.854: ISAKMP:(1027): speaking to another IOS box!
*Mar 2 23:07:20.854: ISAKMP:received payload type 20
*Mar 2 23:07:20.854: ISAKMP (0:1027): NAT found, the node inside NAT
*Mar 2 23:07:20.854: ISAKMP:received payload type 20
*Mar 2 23:07:20.854: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 23:07:20.854: ISAKMP:(1027):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Mar 2 23:07:20.854: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 2 23:07:20.854: ISAKMP:(1027):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.858: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 23:07:20.858: ISAKMP:(1027):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Mar 2 23:07:20.898: ISAKMP:(1024):purging SA., sa=64D5723C, delme=64D5723C
*Mar 2 23:07:20.902: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
*Mar 2 23:07:20.902: ISAKMP:(1027):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 23:07:20.902: ISAKMP:(1027):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Mar 2 23:07:20.902: ISAKMP:(1027): processing ID payload. message ID = 0
*Mar 2 23:07:20.902: ISAKMP (0:1027): ID payload
next-payload : 8
type : 1
address : 217.155.113.179
protocol : 17
port : 0
length : 12
*Mar 2 23:07:20.902: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 2 23:07:20.906: ISAKMP:(1027): processing HASH payload. message ID = 0
*Mar 2 23:07:20.906: ISAKMP:(1027): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 6464D3F0
*Mar 2 23:07:20.906: ISAKMP:(1027):SA authentication status:
authenticated
*Mar 2 23:07:20.906: ISAKMP:(1027):SA has been authenticated with 217.155.113.179
*Mar 2 23:07:20.906: ISAKMP:(1027):Detected port floating to port = 4500
*Mar 2 23:07:20.906: ISAKMP: Trying to find existing peer 192.168.248.253/217.155.113.179/4500/ and found existing peer 648EAD00 to reuse, free 64960C04
*Mar 2 23:07:20.906: ISAKMP: Unlocking peer struct 0x64960C04 Reuse existing peer, count 0
*Mar 2 23:07:20.906: ISAKMP: Deleting peer node by peer_reap for 217.155.113.179: 64960C04
*Mar 2 23:07:20.906: ISAKMP: Locking peer struct 0x648EAD00, refcount 2 for Reuse existing peer
*Mar 2 23:07:20.906: ISAKMP:(1027):SA authentication status:
authenticated
*Mar 2 23:07:20.906: ISAKMP:(1027): Process initial contact,
bring down existing phase 1 and 2 SA's with local 192.168.248.253 remote 217.155.113.179 remote port 4500
*Mar 2 23:07:20.906: ISAKMP:(1026):received initial contact, deleting SA
*Mar 2 23:07:20.906: ISAKMP:(1026):peer does not do paranoid keepalives.
*Mar 2 23:07:20.906: ISAKMP:(1026):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 217.155.113.179)
*Mar 2 23:07:20.906: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
*Mar 2 23:07:20.906: ISAKMP:(1027):Setting UDP ENC peer struct 0x0 sa= 0x6464D3F0
*Mar 2 23:07:20.906: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 2 23:07:20.906: ISAKMP:(1027):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Mar 2 23:07:20.910: ISAKMP: set new node -98987637 to QM_IDLE
*Mar 2 23:07:20.910: ISAKMP:(1026): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
*Mar 2 23:07:20.910: ISAKMP:(1026):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.910: ISAKMP:(1026):purging node -98987637
*Mar 2 23:07:20.910: ISAKMP:(1026):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 2 23:07:20.910: ISAKMP:(1026):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Mar 2 23:07:20.910: ISAKMP:(1027):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 2 23:07:20.910: ISAKMP (0:1027): ID payload
next-payload : 8
type : 1
address : 192.168.248.253
protocol : 17
port : 0
length : 12
*Mar 2 23:07:20.910: ISAKMP:(1027):Total payload length: 12
*Mar 2 23:07:20.914: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Mar 2 23:07:20.914: ISAKMP:(1027):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.914: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 2 23:07:20.914: ISAKMP:(1027):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Mar 2 23:07:20.914: ISAKMP:(1026):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 217.155.113.179)
*Mar 2 23:07:20.914: ISAKMP: Unlocking peer struct 0x648EAD00 for isadb_mark_sa_deleted(), count 1
*Mar 2 23:07:20.914: ISAKMP:(1026):deleting node 334747020 error FALSE reason "IKE deleted"
*Mar 2 23:07:20.914: ISAKMP:(1026):deleting node -1580729900 error FALSE reason "IKE deleted"
*Mar 2 23:07:20.914: ISAKMP:(1026):deleting node -893929227 error FALSE reason "IKE deleted"
*Mar 2 23:07:20.914: ISAKMP:(1026):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 2 23:07:20.914: ISAKMP:(1026):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Mar 2 23:07:20.914: ISAKMP:(1027):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 2 23:07:20.914: ISAKMP:(1027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 2 23:07:20.930: ISAKMP (0:1026): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) MM_NO_STATE
*Mar 2 23:07:20.934: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) QM_IDLE
*Mar 2 23:07:20.934: ISAKMP: set new node 1860263019 to QM_IDLE
*Mar 2 23:07:20.934: ISAKMP:(1027): processing HASH payload. message ID = 1860263019
*Mar 2 23:07:20.934: ISAKMP:(1027): processing SA payload. message ID = 1860263019
*Mar 2 23:07:20.934: ISAKMP:(1027):Checking IPSec proposal 1
*Mar 2 23:07:20.934: ISAKMP: transform 1, ESP_AES
*Mar 2 23:07:20.934: ISAKMP: attributes in transform:
*Mar 2 23:07:20.934: ISAKMP: encaps is 3 (Tunnel-UDP)
*Mar 2 23:07:20.934: ISAKMP: SA life type in seconds
*Mar 2 23:07:20.934: ISAKMP: SA life duration (basic) of 3600
*Mar 2 23:07:20.934: ISAKMP: SA life type in kilobytes
*Mar 2 23:07:20.934: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 2 23:07:20.934: ISAKMP: key length is 128
*Mar 2 23:07:20.934: ISAKMP:(1027):atts are acceptable.
*Mar 2 23:07:20.934: ISAKMP:(1027): IPSec policy invalidated proposal with error 32
*Mar 2 23:07:20.934: ISAKMP:(1027): phase 2 SA policy not acceptable! (local 192.168.248.253 remote 217.155.113.179)
*Mar 2 23:07:20.938: ISAKMP: set new node 1961554007 to QM_IDLE
*Mar 2 23:07:20.938: ISAKMP:(1027):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1688526152, message ID = 1961554007
*Mar 2 23:07:20.938: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
*Mar 2 23:07:20.938: ISAKMP:(1027):Sending an IKE IPv4 Packet.
*Mar 2 23:07:20.938: ISAKMP:(1027):purging node 1961554007
*Mar 2 23:07:20.938: ISAKMP:(1027):deleting node 1860263019 error TRUE reason "QM rejected"
*Mar 2 23:07:20.938: ISAKMP:(1027):Node 1860263019, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 2 23:07:20.938: ISAKMP:(1027):Old State = IKE_QM_READY New State = IKE_QM_READY
*Mar 2 23:07:24.510: ISAKMP: set new node 0 to QM_IDLE
*Mar 2 23:07:24.510: SA has outstanding requests (local 100.100.213.56 port 4500, remote 100.100.213.84 port 4500)
*Mar 2 23:07:24.510: ISAKMP:(1027): sitting IDLE. Starting QM immediately (QM_IDLE )
*Mar 2 23:07:24.510: ISAKMP:(1027):beginning Quick Mode exchange, M-ID of 670698820
*Mar 2 23:07:24.510: ISAKMP:(1027):QM Initiator gets spi
*Mar 2 23:07:24.510: ISAKMP:(1027): sending packet to 217.155.113.179 my_port 4500 peer_port 4500 (R) QM_IDLE
*Mar 2 23:07:24.510: ISAKMP:(1027):Sending an IKE IPv4 Packet.
*Mar 2 23:07:24.514: ISAKMP:(1027):Node 670698820, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 2 23:07:24.514: ISAKMP:(1027):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 2 23:07:24.530: ISAKMP (0:1027): received packet from 217.155.113.179 dport 4500 sport 4500 Global (R) QM_IDLE
*Mar 2 23:07:24.534: ISAKMP: set new node 1318257670 to QM_IDLE
*Mar 2 23:07:24.534: ISAKMP:(1027): processing HASH payload. message ID = 1318257670
*Mar 2 23:07:24.534: ISAKMP:(1027): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 3268378219, message ID = 1318257670, sa = 6464D3F0
*Mar 2 23:07:24.534: ISAKMP:(1027): deleting spi 3268378219 message ID = 670698820
*Mar 2 23:07:24.534: ISAKMP:(1027):deleting node 670698820 error TRUE reason "Delete Larval"
*Mar 2 23:07:24.534: ISAKMP:(1027):deleting node 1318257670 error FALSE reason "Informational (in) state 1"
*Mar 2 23:07:24.534: ISAKMP:(1027):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 2 23:07:24.534: ISAKMP:(1027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 2 23:07:40.898: ISAKMP:(1025):purging node -238086324
*Mar 2 23:07:40.898: ISAKMP:(1025):purging node -1899972726
*Mar 2 23:07:40.898: ISAKMP:(1025):purging node -321906720
Router B
debug crypto isakmp
1d23h: ISAKMP:(0): SA request profile is (NULL)
1d23h: ISAKMP: Created a peer struct for 37.205.62.5, peer port 500
1d23h: ISAKMP: New peer created peer = 0x652C3B54 peer_handle = 0x80000D8C
1d23h: ISAKMP: Locking peer struct 0x652C3B54, refcount 1 for isakmp_initiator
1d23h: ISAKMP: local port 500, remote port 500
1d23h: ISAKMP: set new node 0 to QM_IDLE
1d23h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 652CBDC4
1d23h: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
1d23h: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
1d23h: ISAKMP:(0): constructed NAT-T vendor-07 ID
1d23h: ISAKMP:(0): constructed NAT-T vendor-03 ID
1d23h: ISAKMP:(0): constructed NAT-T vendor-02 ID
1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
1d23h: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
1d23h: ISAKMP:(0): beginning Main Mode exchange
1d23h: ISAKMP:(0): sending packet to 37.205.62.5 my_port 500 peer_port 500 (I) MM_NO_STATE
1d23h: ISAKMP:(0):Sending an IKE IPv4 Packet.
1d23h: ISAKMP (0:0): received packet from 37.205.62.5 dport 500 sport 500 Global (I) MM_NO_STATE
1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
1d23h: ISAKMP:(0): processing SA payload. message ID = 0
1d23h: ISAKMP:(0): processing vendor id payload
1d23h: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
1d23h: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
1d23h: ISAKMP:(0): local preshared key found
1d23h: ISAKMP : Scanning profiles for xauth ...
1d23h: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
1d23h: ISAKMP: encryption DES-CBC
1d23h: ISAKMP: hash SHA
1d23h: ISAKMP: default group 1
1d23h: ISAKMP: auth pre-share
1d23h: ISAKMP: life type in seconds
1d23h: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
1d23h: ISAKMP:(0):atts are acceptable. Next payload is 0
1d23h: ISAKMP:(0):Acceptable atts:actual life: 0
1d23h: ISAKMP:(0):Acceptable atts:life: 0
1d23h: ISAKMP:(0):Fill atts in sa vpi_length:4
1d23h: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
1d23h: ISAKMP:(0):Returning Actual lifetime: 86400
1d23h: ISAKMP:(0)::Started lifetime timer: 86400.
1d23h: ISAKMP:(0): processing vendor id payload
1d23h: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
1d23h: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
1d23h: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
1d23h: ISAKMP:(0): sending packet to 37.205.62.5 my_port 500 peer_port 500 (I) MM_SA_SETUP
1d23h: ISAKMP:(0):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
1d23h: ISAKMP (0:0): received packet from 37.205.62.5 dport 500 sport 500 Global (I) MM_SA_SETUP
1d23h: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
1d23h: ISAKMP:(0): processing KE payload. message ID = 0
1d23h: ISAKMP:(0): processing NONCE payload. message ID = 0
1d23h: ISAKMP:(0):found peer pre-shared key matching 37.205.62.5
1d23h: ISAKMP:(1034): processing vendor id payload
1d23h: ISAKMP:(1034): vendor ID is Unity
1d23h: ISAKMP:(1034): processing vendor id payload
1d23h: ISAKMP:(1034): vendor ID is DPD
1d23h: ISAKMP:(1034): processing vendor id payload
1d23h: ISAKMP:(1034): speaking to another IOS box!
1d23h: ISAKMP:received payload type 20
1d23h: ISAKMP:received payload type 20
1d23h: ISAKMP (0:1034): NAT found, the node outside NAT
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP:(1034):Old State = IKE_I_MM4 New State = IKE_I_MM4
1d23h: ISAKMP:(1034):Send initial contact
1d23h: ISAKMP:(1034):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
1d23h: ISAKMP (0:1034): ID payload
next-payload : 8
type : 1
address : 217.155.113.179
protocol : 17
port : 0
length : 12
1d23h: ISAKMP:(1034):Total payload length: 12
1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP:(1034):Old State = IKE_I_MM4 New State = IKE_I_MM5
1d23h: ISAKMP:(1031):purging SA., sa=652D60C8, delme=652D60C8
1d23h: ISAKMP (0:1033): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
1d23h: ISAKMP: set new node 33481563 to QM_IDLE
1d23h: ISAKMP:(1033): processing HASH payload. message ID = 33481563
1d23h: ISAKMP:received payload type 18
1d23h: ISAKMP:(1033):Processing delete with reason payload
1d23h: ISAKMP:(1033):delete doi = 1
1d23h: ISAKMP:(1033):delete protocol id = 1
1d23h: ISAKMP:(1033):delete spi_size = 16
1d23h: ISAKMP:(1033):delete num spis = 1
1d23h: ISAKMP:(1033):delete_reason = 11
1d23h: ISAKMP:(1033): processing DELETE_WITH_REASON payload, message ID = 33481563, reason: Unknown delete reason!
1d23h: ISAKMP:(1033):peer does not do paranoid keepalives.
1d23h: ISAKMP:(1033):deleting SA reason "Receive initial contact" state (I) QM_IDLE (peer 37.205.62.5)
1d23h: ISAKMP:(1033):deleting node 33481563 error FALSE reason "Informational (in) state 1"
1d23h: ISAKMP: set new node 1618266182 to QM_IDLE
1d23h: ISAKMP:(1033): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
1d23h: ISAKMP:(1033):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(1033):purging node 1618266182
1d23h: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
1d23h: ISAKMP:(1033):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) MM_KEY_EXCH
1d23h: ISAKMP:(1034): processing ID payload. message ID = 0
1d23h: ISAKMP (0:1034): ID payload
next-payload : 8
type : 1
address : 192.168.248.253
protocol : 17
port : 0
length : 12
1d23h: ISAKMP:(0):: peer matches *none* of the profiles
1d23h: ISAKMP:(1034): processing HASH payload. message ID = 0
1d23h: ISAKMP:(1034):SA authentication status:
authenticated
1d23h: ISAKMP:(1034):SA has been authenticated with 37.205.62.5
1d23h: ISAKMP: Trying to insert a peer 217.155.113.179/37.205.62.5/4500/, and found existing one 643BCA10 to reuse, free 652C3B54
1d23h: ISAKMP: Unlocking peer struct 0x652C3B54 Reuse existing peer, count 0
1d23h: ISAKMP: Deleting peer node by peer_reap for 37.205.62.5: 652C3B54
1d23h: ISAKMP: Locking peer struct 0x643BCA10, refcount 2 for Reuse existing peer
1d23h: ISAKMP:(1034):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP:(1034):Old State = IKE_I_MM5 New State = IKE_I_MM6
1d23h: ISAKMP:(1033):deleting SA reason "Receive initial contact" state (I) QM_IDLE (peer 37.205.62.5)
1d23h: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
1d23h: ISAKMP: Unlocking peer struct 0x643BCA10 for isadb_mark_sa_deleted(), count 1
1d23h: ISAKMP:(1033):deleting node 1267924911 error FALSE reason "IKE deleted"
1d23h: ISAKMP:(1033):deleting node 1074093103 error FALSE reason "IKE deleted"
1d23h: ISAKMP:(1033):deleting node -183194519 error FALSE reason "IKE deleted"
1d23h: ISAKMP:(1033):deleting node 33481563 error FALSE reason "IKE deleted"
1d23h: ISAKMP:(1033):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
1d23h: ISAKMP:(1033):Old State = IKE_DEST_SA New State = IKE_DEST_SA
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1d23h: ISAKMP:(1034):Old State = IKE_I_MM6 New State = IKE_I_MM6
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1d23h: ISAKMP:(1034):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
1d23h: ISAKMP:(1034):beginning Quick Mode exchange, M-ID of 1297417008
1d23h: ISAKMP:(1034):QM Initiator gets spi
1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(1034):Node 1297417008, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
1d23h: ISAKMP:(1034):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
1d23h: ISAKMP:(1034):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
1d23h: ISAKMP:(1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
1d23h: ISAKMP: set new node -874376893 to QM_IDLE
1d23h: ISAKMP:(1034): processing HASH payload. message ID = -874376893
1d23h: ISAKMP:(1034): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 56853244, message ID = -874376893, sa = 652CBDC4
1d23h: ISAKMP:(1034): deleting spi 56853244 message ID = 1297417008
1d23h: ISAKMP:(1034):deleting node 1297417008 error TRUE reason "Delete Larval"
1d23h: ISAKMP:(1034):deleting node -874376893 error FALSE reason "Informational (in) state 1"
1d23h: ISAKMP:(1034):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
1d23h: ISAKMP:(1034):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
1d23h: ISAKMP (0:1034): received packet from 37.205.62.5 dport 4500 sport 4500 Global (I) QM_IDLE
1d23h: ISAKMP: set new node 439453045 to QM_IDLE
1d23h: ISAKMP:(1034): processing HASH payload. message ID = 439453045
1d23h: ISAKMP:(1034): processing SA payload. message ID = 439453045
1d23h: ISAKMP:(1034):Checking IPSec proposal 1
1d23h: ISAKMP: transform 1, ESP_AES
1d23h: ISAKMP: attributes in transform:
1d23h: ISAKMP: encaps is 3 (Tunnel-UDP)
1d23h: ISAKMP: SA life type in seconds
1d23h: ISAKMP: SA life duration (basic) of 3600
1d23h: ISAKMP: SA life type in kilobytes
1d23h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
1d23h: ISAKMP: key length is 128
1d23h: ISAKMP:(1034):atts are acceptable.
1d23h: ISAKMP:(1034): IPSec policy invalidated proposal with error 32
1d23h: ISAKMP:(1034): phase 2 SA policy not acceptable! (local 217.155.113.179 remote 37.205.62.5)
1d23h: ISAKMP: set new node 1494356901 to QM_IDLE
1d23h: ISAKMP:(1034):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1687353736, message ID = 1494356901
1d23h: ISAKMP:(1034): sending packet to 37.205.62.5 my_port 4500 peer_port 4500 (I) QM_IDLE
1d23h: ISAKMP:(1034):Sending an IKE IPv4 Packet.
1d23h: ISAKMP:(1034):purging node 1494356901
1d23h: ISAKMP:(1034):deleting node 439453045 error TRUE reason "QM rejected"
1d23h: ISAKMP:(1034):Node 439453045, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
1d23h: ISAKMP:(1034):Old State = IKE_QM_READY New State = IKE_QM_READY
1d23h: ISAKMP:(1032):purging node 1513722556
1d23h: ISAKMP:(1032):purging node -643121396
1d23h: ISAKMP:(1032):purging node 1350014243
1d23h: ISAKMP:(1032):purging node 83247347

Hi Lei , here are the 2 configs for the VPN routers. Hope it sheds some light.
Just to add i have removed the crypto map from the fa0/1 interfaces on both routers just so i can continue my work with the GRE tunnel.
Router A
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SERVER-RTR
boot-start-marker
boot-end-marker
logging buffered 4096
enable secret 5 $1$RihE$Po9HPkuvEHaspaD5ZC72m0
no aaa new-model
memory-size iomem 20
ip cef
no ip domain lookup
ip multicast-routing
multilink bundle-name authenticated
archive
log config
  hidekeys
crypto isakmp policy 1
authentication pre-share
crypto isakmp key XXXX address 217.155.113.179
crypto ipsec transform-set STRONG esp-aes
crypto map S2S_VPN 10 ipsec-isakmp
set peer 217.155.113.179
set transform-set STRONG
match address 101
controller E1 1/0
interface Tunnel0
bandwidth 100000
ip address 10.208.200.1 255.255.255.0
ip mtu 1400
ip pim dense-mode
ip route-cache flow
tunnel source FastEthernet0/1
tunnel destination 217.155.113.179
interface FastEthernet0/0
ip address 10.208.1.10 255.255.224.0
ip pim state-refresh origination-interval 30
ip pim dense-mode
ip route-cache flow
ip igmp version 1
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.248.253 255.255.254.0
ip nbar protocol-discovery
ip route-cache flow
load-interval 60
duplex auto
speed auto
router eigrp 1
auto-summary
router ospf 1
log-adjacency-changes
network 10.208.0.0 0.0.31.255 area 0
network 10.208.200.0 0.0.0.255 area 0
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.208.1.1
ip route 217.155.113.179 255.255.255.255 192.168.248.1
ip flow-export version 5
ip flow-export destination 192.168.249.198 9996
no ip http server
no ip http secure-server
access-list 101 permit gre host 192.168.248.253 host 217.155.113.179
ROuter B
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname BSU-RTR
boot-start-marker
boot-end-marker
enable secret 5 $1$VABE$6r6dayC90o52Gb8iZZgNP/
no aaa new-model
memory-size iomem 25
ip cef
no ip domain lookup
ip multicast-routing
multilink bundle-name authenticated
archive
log config
  hidekeys
crypto isakmp policy 1
authentication pre-share
crypto isakmp key XXXX address 37.205.62.5
crypto ipsec transform-set STRONG esp-aes
crypto map S2S_VPN 10 ipsec-isakmp
set peer 37.205.62.5
set transform-set STRONG
match address 101
controller E1 1/0
interface Tunnel0
bandwidth 20000
ip address 10.208.200.2 255.255.255.0
ip mtu 1400
ip pim dense-mode
tunnel source FastEthernet0/1
tunnel destination 37.205.62.5
interface FastEthernet0/0
ip address 10.208.102.1 255.255.255.0
ip helper-address 10.208.2.31
ip pim dense-mode
duplex auto
speed auto
interface FastEthernet0/1
ip address 217.155.113.179 255.255.255.248
ip nbar protocol-discovery
load-interval 60
duplex auto
speed auto
router ospf 1
log-adjacency-changes
network 10.208.102.0 0.0.0.255 area 0
network 10.208.200.0 0.0.0.255 area 0
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.208.200.1
ip route 37.205.62.5 255.255.255.255 217.155.113.182
no ip http server
no ip http secure-server
ip pim bidir-enable
ip mroute 10.208.0.0 255.255.224.0 Tunnel0
access-list 101 permit gre host 217.155.113.179 host 37.205.62.5

Similar Messages

  • AAA Accounting through a NAT device

    Good Day to you all,
    I am trying to configure aaa accounting through a natted device to a ACS 4.0 server. the information is logged ok but is logged as the device that is performing the natting. is there a way to configure aaa accounting to show the acctual device being updated in the ACS logs

    Assuming its RADIUS...
    Is it possible to get the originating device to include the NAS-IP-Address or NAS-Identifier attributes in the accounting records?
    This will be the actual device values rather than the peer address of the NAT device.

  • How to access the gui through a NAT device

    Hi
    I have to access the management GUI over a NAT IP. So the browser is not accessing the configured managment IP. How can this be realized?
    Unfortunately the programmers wrote the HTML code with absolute addressed links instead of using relative links.
    Example HTML code excerpt from the web gui:
    <script src="
    https://wsa.test.local:8443/scfw/1y-7.1.2-020/yui/animation/animation-min.js"></script>
    Good code shoul read like:
    <script src="/scfw/1y-7.1.2-020/yui/animation/animation-min.js"></script>
    The second code doesn't take care on which hostname/IP nor port the web gui is seen from the client. The browser just adds hostname to the beginning of the URL as it was used to access the starting page. So a NAT or even PAT on the way to access the box has no influence on the usability.
    Any ideas how to circumvent that problem?

    We found out that this seems to be a limitation of the browser. It doesn't work with iE 8/9 but it works with Firefox 6.0.1.
    Strange...

  • IPsec VPN behind a NAT devices

    Thanks but just resolved the problem. Thus i deleted my posting.

    Thank you for you replies there are 2 options either easy vpn client but it requires cisco at the other end ...or that one:
    crypto keyring spokes
    pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
    crypto isakmp profile L2L
    description LAN-to-LAN for spoke router(s) connection
    keyring spokes
    match identity address 0.0.0.0
    here is the cisco url link where u can find further information about it:
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
    I m gonna test those 2 options
    I still don t know how to push acl with easy vpn client and remote mode.
    thank you for your advices
    regards,
    alex
    regards,
    alex

  • TACACS+ requests through NAT device

    Hi everyone.
    I want to Authenticate and Authorize VTY-Access to Cisco devices using TACACS+. The config is pritty "straight forwasrd", BUT:
    I want to forward the TACACS+ Request through a NAT device and on to the "Internet" where the TACAS+ server is located. (ACS 3.3)
    2 Questions in this situation appeares:
    - Does TACACS+ protocol support request through NAT devices?
    - Is it possible to connect different devices begind the NAT device, using only one Outside NAT IP address? (Using the same secret key for all aaa-clients and on the ACS)
    As you see, i want to connect "as many aaa-clients as possible" to a TACACS+ Server with "as easy = less configuration changes, as possible" .
    I know VPN's are options as well, but it is not prefered in my design.
    Best Regards
    Jarle Steffensen

    As far as I know what you propose will work. You are the only one who knows what the local environment is and what the real requirements are and you must decide whether it is a good idea to do it this way.
    I do not see why passing the TACACS request through a NAT device would impact it, so long as the NAT was static or an overload (PAT). The request needs to get to the TACACS server with a consistent source address. If it was a dynamic NAT and one request came with one source address and the next request came with a different source address, it would only work if the TACACS server was configured with ALL of the possible translated addresses. (and part of your requirement is to simplify the config not to complicate it).
    If there are multiple devices sending requests to TACACS through the NAT device, it would look to the TACACS server as if there were a single remote device with lots of users. If you do not care that the TACACS server can not differentiate the remote devices then your solution should work. Do you want to be able to look at the TACACS reports and see that this successful (or that unsuccessful) attempt came from this machine or that machine? If you do not care then your solution should work. If you do care to differentiate the remote activity then you need a solution like VPN which maintains the individuality of the remote devices.
    HTH
    Rick

  • Site to Site and Remote Access VPN

    Hi All,
        Is it possible to configure Site to Site and Remote Access VPN on same interface of Cisco ASA 5505 ?
    Regards
    Abhishek
    This topic first appeared in the Spiceworks Community

    A document exists where PIX/ASA maintains LAN-ti-LAN IPsec tunnel at two end points and there is overlapping networks at ther inside interface of both the asa. Probably, the basic configuration for both asa and IOS routers are nat config. So, this particular document might be useful for your requirement
    PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

  • ASA 5505 site to site VPN from a device 7.2 to a device 8.2

    I'm trying to make some test with two ASA 5505; one has software version 7.2(4) the other 8.2.
    I would like to make a sit to site VPN from the two device.
    I followed the VPN site to site wizard on both machine with the correct parameters, but it does'n work.
    Is it possible to make this kind of VPN between devices with different Software version? Or I should upg the older with 7.2 to 8.2 before ?
    Thank for your help.
    Marco

    Tks Soeren for your help, these are some info about my test:
    Cisco 1 (7.2) Ext 192.168.0.1
                       Int  192.168.11.50
    Cisco 2 (8.2) Ext 192.168.0.2
                       Int 192.168.10.254
    Common gateway 192.168.0.254
    Both Ext interface of Cisco 1 & Cisco 2 are on a common switch, like the gateway.
    These are SH run:
    Cisco 1
    ASA Version 7.2(4)
    hostname DigiASA
    domain-name ************
    enable password ************* encrypted
    passwd *************** encrypted
    names
    name 192.168.10.0 REMOTE-LAN
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.11.150 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 192.168.0.1 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name *************
    access-list acl_outbound extended permit tcp any host 192.168.0.1 eq ftp-data
    access-list acl_outbound extended permit tcp any host 192.168.0.1 eq ftp
    access-list acl_outbound extended permit tcp any host 192.168.0.1 eq https
    access-list acl_outbound extended permit tcp any host 192.168.0.1 eq pop3
    access-list acl_outbound extended permit tcp any host 192.168.0.1 eq www
    access-list acl_inbound extended permit tcp 192.168.11.0 255.255.255.0 any eq www
    access-list acl_inbound extended permit tcp 192.168.11.0 255.255.255.0 any eq ftp
    access-list acl_inbound extended permit tcp 192.168.11.0 255.255.255.0 any eq ftp-data
    access-list acl_inbound extended permit tcp 192.168.11.0 255.255.255.0 any eq smtp
    access-list acl_inbound extended deny tcp any any eq www
    access-list acl_inbound extended deny tcp any any eq ftp
    access-list acl_inbound extended deny tcp any any eq ftp-data
    access-list acl_inbound extended deny tcp any any eq smtp
    access-list acl_inbound extended deny udp any eq tftp any
    access-list acl_inbound extended deny tcp any eq 135 any
    access-list acl_inbound extended deny udp any eq 135 any
    access-list acl_inbound extended deny tcp any eq 137 any
    access-list acl_inbound extended deny udp any eq netbios-ns any
    access-list acl_inbound extended deny tcp any eq 138 any
    access-list acl_inbound extended deny udp any eq netbios-dgm any
    access-list acl_inbound extended deny tcp any eq netbios-ssn any
    access-list acl_inbound extended deny udp any eq 139 any
    access-list acl_inbound extended deny udp any eq 1080 any
    access-list acl_inbound extended deny tcp any eq 445 any
    access-list acl_inbound extended deny tcp any eq 593 any
    access-list acl_inbound extended deny tcp any eq 3067 any
    access-list acl_inbound extended deny tcp any eq 3127 any
    access-list acl_inbound extended deny tcp any eq 4444 any
    access-list acl_inbound extended deny tcp any eq 5554 any
    access-list acl_inbound extended deny tcp any eq 9996 any
    access-list acl_inbound extended deny tcp any eq 36794 any
    access-list acl_inbound extended permit ip any any
    access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.230
    access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.231
    access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.232
    access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.233
    access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.234
    access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.235
    access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.236
    access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.237
    access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.238
    access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.239
    access-list VPN extended permit ip 192.168.11.0 255.255.255.0 host 192.168.11.240
    access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 REMOTE-LAN 255.255.255.0
    access-list SplitTunnelNets standard permit 192.168.11.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.11.0 255.255.255.0 REMOTE-LAN 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool Ext-IP 192.168.11.230-192.168.11.240 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface www 192.168.11.11 www netmask 255.255.255.255
    static (inside,outside) tcp interface ftp 192.168.11.11 ftp netmask 255.255.255.255
    static (inside,outside) tcp interface https 192.168.11.10 https netmask 255.255.255.255
    access-group acl_inbound in interface inside
    access-group acl_outbound in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.0.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.11.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 192.168.0.2
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal  20
    telnet 192.168.11.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    group-policy DIGI internal
    group-policy DIGI attributes
    dns-server value 192.168.11.1 213.140.2.21
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value SplitTunnelNets
    default-domain value DIGI
    username Marco password ***************** encrypted privilege 15
    username Marco attributes
    vpn-group-policy DIGI
    tunnel-group DIGI type ipsec-ra
    tunnel-group DIGI general-attributes
    address-pool Ext-IP
    default-group-policy DIGI
    tunnel-group DIGI ipsec-attributes
    pre-shared-key *
    tunnel-group DIGIVPN type ipsec-l2l
    tunnel-group DIGIVPN ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cisco 2
    ASA Version 8.2(1)
    hostname XFASA
    domain-name ****************
    enable password ***************** encrypted
    passwd ***************** encrypted
    names
    name 192.168.11.0 REMOTE-LAN
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.10.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 192.168.0.2 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name **************
    access-list acl_outbound extended permit tcp any host 192.168.0.2 eq ftp-data
    access-list acl_outbound extended permit tcp any host 192.168.0.2 eq ftp
    access-list acl_outbound extended permit tcp any host 192.168.0.2 eq https
    access-list acl_outbound extended permit tcp any host 192.168.0.2 eq pop3
    access-list acl_outbound extended permit tcp any host 192.168.0.2 eq www
    access-list acl_inbound extended permit tcp 192.168.10.0 255.255.255.0 any eq www
    access-list acl_inbound extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp
    access-list acl_inbound extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp-data
    access-list acl_inbound extended permit tcp 192.168.10.0 255.255.255.0 any eq smtp
    access-list acl_inbound extended deny tcp any any eq www
    access-list acl_inbound extended deny tcp any any eq ftp
    access-list acl_inbound extended deny tcp any any eq ftp-data
    access-list acl_inbound extended deny tcp any any eq smtp
    access-list acl_inbound extended deny udp any eq tftp any
    access-list acl_inbound extended deny tcp any eq 135 any
    access-list acl_inbound extended deny udp any eq 135 any
    access-list acl_inbound extended deny tcp any eq 137 any
    access-list acl_inbound extended deny udp any eq netbios-ns any
    access-list acl_inbound extended deny tcp any eq 138 any
    access-list acl_inbound extended deny udp any eq netbios-dgm any
    access-list acl_inbound extended deny tcp any eq netbios-ssn any
    access-list acl_inbound extended deny udp any eq 139 any
    access-list acl_inbound extended deny udp any eq 1080 any
    access-list acl_inbound extended deny tcp any eq 445 any
    access-list acl_inbound extended deny tcp any eq 593 any
    access-list acl_inbound extended deny tcp any eq 3067 any
    access-list acl_inbound extended deny tcp any eq 3127 any
    access-list acl_inbound extended deny tcp any eq 4444 any
    access-list acl_inbound extended deny tcp any eq 5554 any
    access-list acl_inbound extended deny tcp any eq 9996 any
    access-list acl_inbound extended deny tcp any eq 36794 any
    access-list acl_inbound extended permit ip any any
    access-list SplitTunnelNets standard permit 192.168.10.0 255.255.255.0
    access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.230
    access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.231
    access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.232
    access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.233
    access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.234
    access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.235
    access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.236
    access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.237
    access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.238
    access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.239
    access-list VPN extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.240
    access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 REMOTE-LAN 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 REMOTE-LAN 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool Ext-IP 192.168.10.230-192.168.10.240 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group acl_inbound in interface inside
    access-group acl_outbound in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.0.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.10.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 192.168.0.1
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.10.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 192.168.10.50-192.168.10.150 inside
    dhcpd dns 85.18.200.200 89.97.140.140 interface inside
    dhcpd domain XFACTOR interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy XFA internal
    group-policy XFA attributes
    dns-server value 85.18.200.200
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value SplitTunnelNets
    default-domain value XFDMN
    username Marco password ************* encrypted privilege 15
    username Marco attributes
    vpn-group-policy XFA
    username xfa password ************* encrypted privilege 0
    username xfa attributes
    vpn-group-policy XFA
    tunnel-group XFA type remote-access
    tunnel-group XFA general-attributes
    address-pool Ext-IP
    default-group-policy XFA
    tunnel-group XFA ipsec-attributes
    pre-shared-key *
    tunnel-group DIGIVPN type ipsec-l2l
    tunnel-group DIGIVPN ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    I hope you can find anything wrong, because I ddidn't find.
    Thanks again
    Marco

  • ASA 5505: Site-to-Site VPN, NAT (Overlap Subnets)

    Greetings all.  I've searched through the forums and have found some similar situations to mine but nothing specific.  I'm hoping this is an easy fix...  :/
    I volunteer for a non-profit medical facility that has an ASA 5505 (v8.4).  They needed a site-to-site VPN to another facility (a Fortinet w/ 10.10.115.0/24) to securly transfer digital X-Ray images.  Very simple setup... the issue is, my 5505 (192.168.1.x) overlaps with another site-to-site VPN connection on the Fortinet side already.  So...
    The network admin on the Fortinet side assinged me 172.31.1.0/24.  I have established a connection but obviously, cannot route anywhere to the other side.  Anyone have any suggestions here, how I might be able to accomplish this - hopefully with a simple NAT setup?
    Thank you in advance everyone.

    Hello Chris,
    For this scenario you will need to create a Policy-NAT rule and then configure the Interesting Traffic with the translated IP address.
    Basically the NAT configuration will be like this:
    object network Local-net
    subnet 192.168.1.0 255.255.255.0
    object network Translated-net
    subnet 172.31.1.0 255.255.255.0
    object network Fortinet-net
    subnet 10.10.115.0 255.255.255.0
    nat (inside,outside) source static Local-net Translated-net destination static Fortinet-net Fortinet-net
    Obviously, you can change the name of the objects.
    Then in the interesting traffic, the ACL that is apply in the crypto map that defines the VPN traffi, you will need to configure it like this:
    access-list anyname permit ip 172.31.1.0 255.255.255.0 10.10.115.0 255.255.255.0
    This should allow you to pass traffic over this tunnel and it will hide your network behind the network that the Fortinet assigned you.
    Let me know if you have any doubts.
    Daniel Moreno
    Please rate any posts you find useful

  • ASA Cannot access https device via Clientless VPN bookmark, site to site works fine

    We've got two offices connected via an IPSEC tunnel.  This site to site VPN works great, we can access our remote devices fine from a PC on either LAN at each office.  The device's address is https://192.168.210.2
    However, if we make a bookmark on the Clientless VPN for that same address the conneciton just times out if it has to go over the site to site VPN. 
    We plugged the exact same web enabled device on the local side of the VPN, put in a bookmark for its https address and it works fine.  Its just remote bookmarks for devices on the other side of the tunnel do not work.
    Looking at the debug log I see the request going out from the source to the destination on port 443 but nothing more.  The NAT exemption etc are all right because people on the LAN have no problem accessing this device remotely with their browser. 
    I haven't been able to adequately describe this problem to find a matching Cisco example, anyone know how to fix this?

    hi luis,
    thank you for your reply. we've checked the smoothwall configuration, but couldn't discover anything which could cause this problem. we even tried replacing the sa520 with a draytek vigor router to set up an lan-to-lan vpn with the smoothwall. with the draytek in place we have no problems accessing the aforementioned servers, so it seems the issue is with the SA520.
    what exactly do you mean by creating an ACL from the remote WAN to our LAN? i assumed you meant creating a firewall rule, allowing traffic from the remote device's public ip to our LAN. however, in that case i need to enter an ip address of a device in our LAN, or else i cannot save this rule. as a test i entered the ip address of my machine as the destination address, but am still unable to access the aforementioned servers.
    here's how i set up the rule:
    from zone: UNSECURE (WAN/optional WAN)
    to zone: LAN
    service: ANY
    action: ALLOW always
    schedule: (not set)
    source hosts: Single address
    from: public ip of one of the aforementioned servers
    source NAT settings > external IP address: WAN interface address (cannot change this setting)
    source NAT settings >WAN interface: dedicated WAN (cannot change this setting)
    destination NAT settings > internal ip address: 192.168.11.123 (ip address of my machine)
    enable port forwarding: unchecked
    translate port number: empty
    external IP address: dedicated WAN

  • Targeted HTTP Requests through SonicWALL Site-to-Site VPN

    I have a B2B tunnel to one of our customers. All HTTP/HTTPS traffic from our main office for those addresses goes across the B2B.Now, I have a remote office connected to the main office via site-to-site VPN. How can I target HTTP/HTTPS requests for only the customer websites to use the site-to-site VPN to our office, then the B2B, while allowing other Web traffic to go straight out through the remote office? I have already added the subnets used by the B2B to the access lists at both ends of the site-to-site, but computers at the remote office cannot load Web pages, because the requests are not coming from our B2B IP address. nslookup and ping work from the remote office; DNS is resolving the name to the correct IP address. However, the HTTP/HTTPS requests are going straight out through the remote office firewall without hitting the...
    This topic first appeared in the Spiceworks Community

    Hi
    I looked through the similar questions and I cannot find the answer. My VPN is working correctly and I can ping every LAN interface address objects specified in my routes but I'm unable to ping or access end devices beyond that. IPS and the GAV is not enable since I don't have the licenses, so theirs no concern there. Something is telling me that it could be a basic route needs to be in place on VPN > LAN but that was created in the initial VPN configuration.
    For example I can ping Remote LAN interfaces 172.16.0.254, 172.18.0.254 but I cant ping the devices in those subnets. 
    This topic first appeared in the Spiceworks Community

  • Cisco ASA Site to Site IPSEC VPN and NAT question

    Hi Folks,
    I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
    ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
    Just an example:
    Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
    The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
    It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
    Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
    Appreciate if someone can shed some light on it.

    Hi,
    Ok so were going with the older NAT configuration format
    To me it seems you could do the following:
    Configure the ASA1 with Static Policy NAT 
    access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
    Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
    If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
    On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
    access-list INSIDE-NONAT remark L2LVPN NONAT
    access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NONAT
    You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
    ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    I could test this setup tomorrow at work but let me know if it works out.
    Please rate if it was helpful
    - Jouni

  • Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices

    Hello
    I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
    The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
    So I am stuck...
    What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
    I was hoping Azure's VPN solution would be very flexible.
    Thanks

    Hello RTF_Admin,
    1. Which is the Series of CISCO ASA device you are using?
    Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
    Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
    However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
    Step-By-Step: Create a Site-to-Site VPN between your network and Azure
    http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
    You can refer to this article for Cisco ASA templates for Static routing:
    http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
    If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
    I hope that this information is helpful
    Thanks,
    Syed Irfan Hussain

  • RV042 Site-to-Stie VPN with NAT on one side

    I set up a site-to-site VPN using two RV042s some time ago.  One was behind a NATting router.  The other was the internet interface itself.
    Somewhere I had found a paper describing how to do this.  It said that only ONE of them could be behind another NATting router.  So, that's how this was set up.  I sure wish I could find that paper again!!!  Any suggestions?
    Now I have to do the same thing again but can't get it working.  It looks like this:
    RV042 VPN public address <> cable modem <> internet <> RV042 "firewall" with IPSEC passthrough enabled <> interim subnet LAN <> RV042 VPN <> LAN
    I'm getting log messages and on the remote site log (the left side of the above) like:
    initial Aggressive Mode packet claiming to be from [xxx.xxx.xxx.xxx] on [same] but no connection has been authorized 
    and
    No suitable connection for peer '10.98.76.2', Please check Phase 1 ID value 
    (where 10.98.76.2 is the IP address of the RV042 WAN port on the interim subnet)
    I have them both in Aggressive mode as eventually I'll be using a dyndns url.  But, for now, I'm using the actual IP addresses so that should not be an issue one way or the other..

    make sure the configuration u do on both the side should be same....and secondly exempt the NAT rules then only it will work.

  • Setting up Site-to-Site VPN and nat on IOS

    I have a senario I am looking to setup. I have a Cisco 3825 router that handles roughly 50 site-to-site VPN's. I have a particular VPN where I would like to nat (actually overload) off an interface for a specific VPN site-to-site tunnel. I know when you are doing nat you of course have an inside and an outside interface which I do on the router but how would you overload (pat) on an interface for just a specific VPN tunnel? Say you wanted to overload your entire internal supernet to a single private (RFC 1918) interface addess? Typically the outside interface (nat outside) what you would overload off of has a public ip address, but in this case you want to use a private RFC 1918 address as the source of the overload interface?
    Any help is appreciated.

    hi ,
    did you think of using a normal statment and use a route map with that statment that only permit the VPN traffic to be natted using that statment and deny any other translation , and for the crypto access-list you should use the source as the pattted ip address and the destination as the the remote proxies .
    regards.

  • Setting up site to site vpn with cisco asa 5505

    I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
    IP of remote office router is 71.37.178.142
    IP of the main office firewall is 209.117.141.82
    Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
    ciscoasa# show run
    : Saved
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password TMACBloMlcBsq1kp encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
    access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group5
    crypto map outside_map 1 set peer 209.117.141.82
    crypto map outside_map 1 set transform-set ESP-AES-256-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn username [email protected] password ********* store-local
    dhcpd auto_config outside
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd enable inside
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
    : end
    ciscoasa#
    Thanks!

    Hi Mandy,
    By using following access list define Peer IP as source and destination
    access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
    you are not defining the interesting traffic / subnets from both ends.
    Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
    !.1..source subnet(called local encryption domain) at your end  192.168.200.0
    !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
    !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
    !...at your end  192.168.200.0
    !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
    !...at other end 192.168.100.0
    Please use Baisc Steps as follows:
    A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
    Step 1.
    Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
    access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
    Step 2.
    Config ISAKMP Policy with minimum 4 parameters are to be config for
    crypto isakmp policy 10
    authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
    encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
    hash sha   --->  3rd parameter of ISAKMP Policy is OK
    group 5  --->  4th parameter of ISAKMP Policy is OK
    lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
    Step 3.
    Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
    Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
    Use following command:
    crypto isakmp key 0 CISCO123 address 71.37.178.142
    or , but not both
    crypto isakmp key 6 CISCO123 address71.37.178.142
    step 4.
    Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
    Here is yours one:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
    crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
    or
    crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
    Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
    ah-sha-hmac or  ah-md5-hmac
    crypto ipsec transform-set TSET1 ah-sha-hmac
    or
    crypto ipsec transform-set TSET1 ah-md5-hmac
    Step 5.
    Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
    crypto map ipsec-isakmp
    1. Define peer -- called WHO to set tunnel with
    2. Define or call WHICH - Transform Set
    3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
    Like in your case it is but ipsec-isakmp keyword missing in the ;ast
    crypto map outside_map 10 ipsec-isakmp
    1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
    2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
    !..In you case it is correct
    !...set transform-set ESP-AES-256-SHA (also correct)
    3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
    4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
    Step 6.
    Now apply this one crypto MAP to your OUTSIDE interface always
    interface outside
    crypto map outside_map
    Configure the same but just change ACL on other end in step one  by reversing source and destination
    and also set the peer IP of this router in other end.
    So other side config should look as follows:
    B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
    Step 7.
    Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
    access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
    Step 8.
    Config ISAKMP Policy with minimum 4 parameters are to be config for
    crypto isakmp policy 10
    authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
    encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
    hash sha   --->  3rd parameter of ISAKMP Policy is OK
    group 5  --->  4th parameter of ISAKMP Policy is OK
    lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
    Step 9.
    Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
    Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
    Use following command:
    crypto isakmp key 0 CISCO123 address 209.117.141.82
    or , but not both
    crypto isakmp key 6 CISCO123 address 209.117.141.82
    step 10.
    Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
    Here is yours one:
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
    crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
    or
    crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
    Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
    ah-sha-hmac or  ah-md5-hmac
    crypto ipsec transform-set TSET1 ah-sha-hmac
    or
    crypto ipsec transform-set TSET1 ah-md5-hmac
    Step 11.
    Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
    crypto map    ipsec-isakmp
    1. Define peer -- called WHO to set tunnel with
    2. Define or call WHICH - Transform Set, only one is permissible
    3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
    Like in your case it is but ipsec-isakmp keyword missing in the ;ast
    crypto map outside_map 10 ipsec-isakmp
    1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
    2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
    !..In you case it is correct
    !...set transform-set ESP-AES-256-SHA (also correct)
    3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
    4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
    Step 12.
    Now apply this one crypto MAP to your OUTSIDE interface always
    interface outside
    crypto map outside_map
    Now initite a ping
    Here is for your summary:
    IPSec: Site to Site - Routers
    Configuration Steps
    Phase 1
    Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
    Step 2: Configure ISAKMP Policy
    Step 3: Configure ISAKMP Key
    Phase 2
    Step 4: Configure Transform Set
    Step 5: Configure Crypto Map
    Step 6: Apply Crypto Map to an Interface
    To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
    Router#debug crpyto isakmp
    Router#debug crpyto ipsec
    Router(config)# logging buffer 7
    Router(config)# logging buffer 99999
    Router(config)# logging console 6
    Router# clear logging
    Configuration
    In R1:
    (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
    (config)# crypto isakmp policy 10
    (config-policy)# encryption 3des
    (config-policy)# authentication pre-share
    (config-policy)# group 2
    (config-policy)# hash sha1
    (config)# crypto isakmp key 0 cisco address 2.2.2.1
    (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
    (config)# crypto map CMAP 10 ipsec-isakmp
    (config-crypto-map)# set peer 2.2.2.1
    (config-crypto-map)# match address 101
    (config-crypto-map)# set transform-set TSET
    (config)# int f0/0
    (config-if)# crypto map CMAP
    Similarly in R2
    Verification Commands
    #show crypto isakmp SA
    #show crypto ipsec SA
    Change to Transport Mode, add the following command in Step 4:
    (config-tranform-set)# mode transport
    Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
    Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
    (config)# crypto isakmp peer address 2.2.2.1
    (config-peer)# set aggressive-mode password cisco
    (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
    Similarly on R2.
    The below process is for the negotiation using RSA-SIG (PKI) as authentication type
    Debug Process:
    After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
    R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
    Packet sent with a source address of 2.2.2.2
    Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
    Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
    Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
    Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
    Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
    Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
    Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
    Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
    Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
    Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
    Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
    Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
    Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
    Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
    Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
    Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
    Mar  2 16:18:42.947:.!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
    R2(config)# ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
    Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
    Mar  2 16:18:42.947: ISAKMP:      hash SHA
    Mar  2 16:18:42.947: ISAKMP:      default group 2
    Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
    Mar  2 16:18:42.947: ISAKMP:      life type in seconds
    Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
    Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
    Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
    Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
    Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
    Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
    Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
    Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
    Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
    Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
    Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
    Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
    Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
    Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
    Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
    Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
    Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
    Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
    Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
    Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
    Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
    Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
    Mar  2 16:18:43.007: ISAKMP:received payload type 20
    Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
    Mar  2 16:18:43.007: ISAKMP:received payload type 20
    Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
    Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
    Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
    Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
    Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
    Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
    Mar  2 16:18:43.011: ISAKMP (1008): ID payload
              next-payload : 6
              type         : 2
              FQDN name    : R2
              protocol     : 17
              port         : 500
              length       : 10
    Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
    Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
    Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
    Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
    Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
    // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
    Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
    Mar  2 16:18:43.047: ISAKMP (1008): ID payload
              next-payload : 6
              type         : 2
              FQDN name    : ASA1
              protocol     : 0
              port         : 0
              length       : 12
    Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
    Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
    Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
    Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
    Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
    Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
    Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
    Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
    Mar  2 16:18:43.067: ISAKMP:received payload type 17
    Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
    Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
    Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
              authenticated
    Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
    Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
    Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
    Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
    Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
    Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
    Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
    Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
    Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
    Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
    Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
    Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
    Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
    Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
    Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
    Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
    Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
    Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
    Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
    Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
    Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
    Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
    Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
              (proxy 1.1.1.1 to 2.2.2.2)
    Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
    Mar  2 16:18:43.083:         lifetime of 3600 seconds
    Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
    Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
              (proxy 2.2.2.2 to 1.1.1.1)
    Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
    Mar  2 16:18:43.083:         lifetime of 3600 seconds
    Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
    Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
    Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
    Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
    Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
    Verification Commands
    #show crypto isakmp SA
    #show crypto ipsec SA
    Kindly rate if you find the explanation useful !!
    Best Regards
    Sachin Garg

Maybe you are looking for

  • Playback of purchased music skips, wrong speed, etc.

    Ok, this was going to be a question, but maybe it will help diagnose future problems. Software: iTunes 6.0.4 (3) FireFox 1.5.0.3 (most recently updated) OS 10.4.6 Hardware: PowerMac G5 dual processor 2Ghz recently added 2GB of RAM for total of 2.5GB

  • Java.lang.NoClassDefFoundError: oracle/jbo/common/ampool/ApplicationPoolException

    Oracle 9iAS J2EE Container 2.0 running on Sun Solaris 5.8 Development Env: Oracle 9i JDeveloper Release Candidate running on Win2000 I have created a few JSPs in Jdeveloper and they work fine in the embedded OC4J server on Windows. Then I downloaded

  • Importing & exporting script

    hi experts, through program "RSTXSCRP" we can export or import the script to hard disk. my doubt is in the selection screen: we have "control parameters for file operation" what is the purpose of them. one more is we have "control of language version

  • Functional specs for Hierarchies

    Hello GURUS, Please any one provide me functionalspecs and Technical specs for Hierarchies. Thanks, Sekhar.

  • I'm asked for my registered phone # and PIN

    Why am I asked to enter my registered phone # and PIN? When you call your Skype To Go numbers, you are identified by your registered phone’s caller ID and won’t need to enter your registered phone number and PIN for authentication purposes. There are