The tale of two IPSec Tunnels...
I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point. I have two sites I'm working with, a test site on my bench and the other actual site at another location. Both are ASA 5510's, both are running ASA v8.2(5). The test site has a 3560 off of it, and the production site has a 3750 stack off it. I don't think that part should matter, though.
I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare. The test site connects and I can ssh to the 3560 behind it just fine. The production site, however, cannot connect to that 3750 or ping it to save my life. I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group. When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
Then I thought it may be a routing issue. The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes. But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies. Oon the production site I only see requests, no replies. My encap counters don't increment during pings, but the decap counters do, which make sense.
Other things to note: The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well. Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems. I'd appreciate it! Thanks
Test Site that works
Production Site that Doesn't
testasa01-5510# sh run
: Saved
ASA Version 8.2(5)
hostname testasa01-5510
names
interface Ethernet0/0
nameif outside
security-level 0
ip address <outsideif> 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.39.194.2 255.255.255.248
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240
access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable
tcp-map WSOptions
tcp-options range 24 31 allow
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 10.39.0.0 255.255.0.0
access-group inside_access_in in interface inside
router eigrp 100
network 10.0.0.0 255.0.0.0
passive-interface default
no passive-interface inside
route outside 0.0.0.0 0.0.0.0 <outsideif> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs group1
crypto map outside_map1 1 set peer 209.242.145.200
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server <server> source inside
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
tunnel-group 111.222.333.444 type ipsec-l2l
tunnel-group 111.222.333.444
general-attributes
default-group-policy GroupPolicy1
tunnel-group 111.222.333.444
ipsec-attributes
pre-shared-key *****
class-map WSOptions-class
match any
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class WSOptions-class
set connection advanced-options WSOptions
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
nop action allow
router-alert action allow
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
mp01-5510asa# sh run
: Saved
ASA Version 8.2(5)
hostname mp01-5510asa
names
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.29.194.2 255.255.255.252
interface Ethernet0/1
nameif dmz
security-level 50
ip address 172.16.29.1 255.255.255.0
interface Ethernet0/2
description
nameif backup
security-level 0
ip address <backupif> 255.255.255.252
interface Ethernet0/3
description
speed 100
duplex full
nameif outside
security-level 0
ip address <outsideif> 255.255.255.248
interface Management0/0
nameif management
security-level 100
ip address 10.29.199.11 255.255.255.0
management-only
banner login Authorized Use Only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network DM_INLINE_NETWORK_1
network-object 10.29.1.0 255.255.255.0
network-object 10.29.15.0 255.255.255.0
network-object 10.29.199.0 255.255.255.0
network-object 10.29.200.0 255.255.255.0
network-object 10.29.31.0 255.255.255.0
access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings
access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings
access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings
access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings
access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0
pager lines 24
logging enable
logging list acl-messages message 106023
logging buffered acl-messages
logging asdm acl-messages
mtu inside 1500
mtu dmz 1500
mtu backup 1500
mtu outside 1500
mtu management 1500
ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (inside) 201 interface
global (dmz) 101 interface
global (backup) 101 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.29.1.0 255.255.255.0
nat (inside) 101 10.29.15.0 255.255.255.0
nat (inside) 101 10.29.31.0 255.255.255.0
nat (inside) 101 10.29.32.0 255.255.255.0
nat (inside) 101 10.29.199.0 255.255.255.0
nat (inside) 101 10.29.200.0 255.255.255.0
nat (inside) 101 192.168.29.0 255.255.255.0
static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1
route backup 0.0.0.0 0.0.0.0 205.179.122.165 254
route management 10.0.0.0 255.0.0.0 10.29.199.1 1
route inside 10.29.0.0 255.255.0.0 10.29.194.1 1
route inside 192.168.29.0 255.255.255.0 10.29.194.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 74.125.239.16 interface outside
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 100 reachability
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.200.1.41 source inside
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool3
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
testasa01-5510# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 172.16.139.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 0A7F396F
current inbound spi : E87AF806
inbound esp sas:
spi: 0xE87AF806 (3900372998)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x7FFFFFFF
outbound esp sas:
spi: 0x0A7F396F (176109935)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
mp01-5510asa# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 10.254.29.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 096265D4
current inbound spi : F5E4780C
inbound esp sas:
spi: 0xF5E4780C (4125390860)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x001FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x096265D4 (157443540)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Config (non working site) looks fine(unless I missed something:)) . You may want to add :
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
Try by taking out vpnfilter : vpn-filter value remoteaccess
To further t-shoot, try using packet tracer from ASA to the client...
https://supportforums.cisco.com/docs/DOC-5796
Thx
MS
Similar Messages
-
Hi, all,
I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site , I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
Quote :
Question ? :
Mine is a very simple configuration. I have 2 sites linked via an IPsec tunnel. Dallas is my Main HQ R1 and Austin R2 is my remote office. I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
Dallas (Main) Lan Net is: 10.10.200.0/24
Austin (Remote) LAN Net is: 10.20.2.0/24
The Dallas (Main) site has a VPN config of:
Local Net: 0.0.0.0/0
Remote Net: 10.20.2.0/24
The Austin (Remote) site has a VPN config of:
10.20.2.0/24
Remote Net: 0.0.0.0/0
The tunnel gets established just fine. From the Austin LAN clients, I can ping the router at the main site (10.10.200.1). This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
I'm sure it's something simple I failed to configure. Anyone have any pointers or hints?
Answer:
Thanks to Jimp from the other thread, I was able to see why it was not working. To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network.
Once I made this change, Voila! Traffic from the remote side started heading out to the Internet. Now all traffic flows thru the Main site. It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
My question ?
The answer said "To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network." what this mean and
how to do it , could anybody give me the specific configuration ? thanks a lot.Thank you for Jouni's reply, following is the configuration on Cisco 2800 router ,no firewall enable, :
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
crypto dynamic-map IPsecdyn 100
set transform-set IPsectrans
match address 102
crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
interface Loopback1
ip address 10.10.200.1 255.255.255.0
interface FastEthernet0/0
ip address 113.113.1.1 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPsecmap
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 113.113.1.2
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any 10.20.2.0 0.0.0.255 -
IPSec tunnel and policy NAT question
Hello All!
I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
Here is the configuration
Remote end crypto interesting ACL:
ip access-list extended crypto-interesting-remote
permit ip host 192.168.1.10 host 10.0.0.10
My end configuration:
interface GigabitEthernet0/0
ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN
ip access-list extended crypto-interesting-local
permit ip host 10.0.0.10 host 192.168.1.10
interface GigabitEthernet0/3
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
speed auto
ip nat inside source static 172.16.0.20 10.0.0.10 (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
Any response highly appreciated!
Thanks!Figured that out.
The problem was in route
ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
should be next-hop IP address instead of interface gigabitethernet0/0
Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside -
How many IPSec Tunnels an ASA 5500 series supports
Hi All,
I tried looking in ASA documentations but unable to find out that how many IPSec Tunnels can be terminated to an ASA cluster. I have 5545 running only two IPSec Tunnels so far but need to terminate 18 sites all up and would like to confirm how many tunnels we could terminate? Is there a limitaion to it?
Thanks heaps
ShanYes, there is a limit. But its far away from your requirement. On the 5545-X you can terminate 2500 VPN-Peers:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
Sent from Cisco Technical Support iPad App -
IPSec Tunnel and Making Changes While Up
My main MPLS circuit is down and i have two IPSec tunnels up to my remote sites.
Everything is routing fine but i wanted to add a sub net to my NAT and Tunnels.
Can i add a new subnet to my local network/remote network and save/apply without killing or reseting my active IPSec tunnels?Reza has interpreted your question in terms of NAT and I agree with him that you should be able to change the NAT configuration without impacting other parts of the router operation and connectivity.
But I read your question as involving both NAT and IPSec tunnels. And I believe that the answer is different when you consider IPSec tunnels. You can go ahead and change the configuration of the tunnels while they are up. But the tunnels negotiated their Security Associations based on the config in place when the tunnels came up. They will continue to use those Security Associations after you make your config change. So if you are changing things like what subnets are in the access list used to identify traffic for IPSec these changes will not take effect until a new Security Association is negotiated. You can either wait for the lifetime to expire and new SA negotiated or your can reset the IPSec tunnels and force a new negotiation. Also note that if you are changing the access list on your end that someone on the other end needs to make a corresponding change on their end.
HTH
Rick -
AP registration over IPSEC Tunnel(ASA)
Guys,
I have my WAP sitting behind ASA and have ipsec tunnel between ASA and router.below is the topology:-
WAP>>ASA<<< IPSEC TUNNEL>>> Router<<<WLC
Recently we have replaced router with ASA 5505 for security reasons and since then WAP is not able to registered to WLC. we have VPN tunnel up and working. Even WAP is able to ping to WLC ip address.
Do we have any special configuration in my ASA considering my above topology. I can confirm that capwap and lwap ports are opened in asa.
Please let me know if some one has faced this issue before.Hi,
I hope you have already allowed the below mentioned ports as per your requirement.
You must enable these ports:
Enable these UDP ports for LWAPP traffic:
Data - 12222
Control - 12223
Enable these UDP ports for mobility traffic:
16666 - 16666
16667 - 16667
Enable UDP ports 5246 and 5247 for CAPWAP traffic.
TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
These ports are optional (depending on your requirements):
UDP 69 for TFTP
TCP 80 and/or 443 for HTTP or HTTPS for GUI access
TCP 23 and/or 22 for Telnet or SSH for CLI access
Also if it goes over the IPSec VPN, MTU size for the path between AP and WLC should be of 1500, if it has the lesser MTU, then communication fails.
Can you get me your WLC and ASA OS versions?
Regards
Karthik -
IPsec tunnel with two RV180W in LAN
Hi all,
I've to set up a couple of RV180W devices to connect several branch offices with IPsec tunnels with one back office.
Because I'm new to Cisco devices, my intention is to set up two RV180W devices in our LAN that way, that they establish an IPsec tunnel. Both of them have an IP address in the net 192.168.179.x and each RV180W has it's own IP net (192.168.10.x and 192.168.11.x). The idea is to have a PC in each of the networks of the RV180Ws and several outside to check by the PCs' visibility/connectivity whether the VPN is working or not. Later on I've to change the network addresses but I'll know that the IPsec settings are working.
I've used the 'Basic VPN Setup' on both devices to configure the tunnel, but it won't be established, its status remains on 'IPsec SA Not Established'.
Am I completely wrong with my approach? Or am I blind and oversee something essential within the configuration?
Here the configurations of both devices:
device 1:
device 2:
Thanks in advance for your ideas and help.
Best regards, LarsI'm trying to connect an RV180W to my RV082 and I get IPSec SA Not Established. I've checked my settings numerous times and they are the same on both routers (aside from different gateway ip and lan subnet)
-
Is it possible to build two different L2TP/IPSec tunnels per subnet or per user?
Dear colleagues
I wondered whether anyone could help with this one.
Is it possible to build two different L2TP/IPSec tunnels per subnet or per user on a Cisco router or any other third party manufacturer? The idea behind is to allow different access to resources to different support technicians. Your help is much appreciated.Sure, the ASA can use LDAP/AD information to select what access list should be applied for that specific user or group of users logging into the VPN. You can use whats called DAP or just LDAP Attribute Maps.
-
IPSEC Tunnel trouble between two VRW200
Hi,
First...a note of disappointment: Linksys tech support seems to say: "You have selected a product that is not supported via Linksys Chat." I am not sure why...is it not supported model any more?
Anyway...the real problem I have is:
I got 2 sites. Both use a VRW200 router with Firmware Version: 1.0.39 .
The routers do their job nice on LAN and WAN and WLAN.
I need to connect the 2 sites via VPN IPSEC tunnel to ensure resources can be shared...imagine as a mini branch office and a Small main office.
QuickVPN works nice for both, that is how I can manage both routers from home, but we need more, a tunnel between the 2 networks.
I set up the tunnel on both ends using exact same settings, except, the branch accepts connections from ANY and main office calls branch by FDQN using dyndns.
In VPN summary of the Branch, the status is ANY, in the office it is T (Try to connect to Remote Peer.)
The connection seems to be up for a while...not short, but less than a day even with this T status, but it never becomes C and it disconnects eventually.
Pasting here details of VPN tunnel from main office (altered the IP adresses a little bit but consequently):
000 "TunnelA": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "TunnelA": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 60s; rekey_fuzz: 100%; keyingtries: 5
000 "TunnelA": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0;
000 "TunnelA": dpd: action:restart; delay:30; timeout:120;
000 "TunnelA": newest ISAKMP SA: #304; newest IPsec SA: #305;
000 "TunnelA": IKE algorithms wanted: 5_000-2-2, flags=strict
000 "TunnelA": IKE algorithms found: 5_192-2_096-2,
000 "TunnelA": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "TunnelA": ESP algorithms wanted: 3_000-2, flags=strict
000 "TunnelA": ESP algorithms loaded: 3_000-2, flags=strict
000 "TunnelA": ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup=<Phase1>
000 #305: "TunnelA":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1773s; newest IPSEC; eroute owner
000 #305: "TunnelA" [email protected] [email protected] [email protected] [email protected]
000 #304: "TunnelA":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26954s; newest ISAKMP; lastdpd=26s(seq in:432 out:0)
Please anyone can help me to get a C into connection status?
Thanks,
DezsoAre you using WRV200? Try checking the group if they are using the correct server addresses.
Regards,
Lord Maxthor -
Multiple site to site IPSec tunnels to one ASA5510
Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall. Any help would be appreciated.
Hi,
Regarding setting up the new L2L VPN connection..
Should be no problem (to my understanding) to configure the new L2L VPN connection through the other ISP interface (0/3). You will need to atleast route the remote VPN peers IP address towards that link. The L2L VPN forming should add a route for the remote networks through that L2L VPN. If not reverse route injection should handle it in the cryptomap configurations.
I guess rest of the setup depends on what will be using the 0/0 ISP and what will be using the 0/3 ISP.
If you are going to put the default route towards the 0/3 ISP you will have to think of something for the 0/0 ISP if some of your local LAN devices are going to use it for Internet also. (Possible routing problems) On the other hand if you have remote VPN Client users using the 0/0 ISP there should be no routing problem for them as they would be initiating connection through that 0/0 ISP link through ASA so ASA should know where to forward the return traffic.
Most of my 2 ISP setups have been implemented with a router in front of the actual ASA/PIX/FWSM firewalls where the router has performed Policy Routing based on the source IP address from the firewalls and then settings the correct gateway towards the correct ISP.
- Jouni -
Not Seeing NAT Translations Across GRE IPSec Tunnel
Hello,
I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
Thanks for any help you guys may be able to provide!
Anthony, CCNA (Network/Voice)Can you send over the configurations
You seem to have a phase 1 issue, it's not negotiating correctly.
Thanks -
Hello,
I have set up a IPSec VPN between two 3845 routers:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXXX address 1.1.1.1
crypto ipsec transform-set CTransformSet esp-3des esp-sha-hmac
crypto map MyCryptoMap local-address GigabitEthernet0/1
crypto map MyCryptoMap 15 ipsec-isakmp
set peer 1.1.1.1
set transform-set CTransformSet
set pfs group2
match address CryptoC
ip access-list extended CryptoC
permit ip 192.168.1.0 0.0.0.255 1.1.1.0 0.0.0.255
And similar on the other side. It all works great, once the tunnel is up and running. However if I don't send any data from the 192.168.1 network to the 1.1.1 network for a while (5-10 minutes?), it seems to drop the tunnel, and the first request I make fails (I guess because the tunnel is establishing). Subsequent requests work fine again, but the first one always fails.
Is there any way to (preferably) make the first request succeed? Or if not, how to make the tunnel not drop after a certain time has passed? I have tried:
crypto ipsec security-association lifetime kilobytes 536870912
crypto ipsec security-association lifetime seconds 86400
crypto isakmp keepalive 10
...with no success! "show crypto ipsec sa" tells me there's plenty of time remaining on the inbound and outbound esp:
sa timing: remaining key lifetime (k/sec): (513953358/5739)debug crypto ipsec
debug crypto isakmp
I just get this block:
Jul 19 12:50:48.145: ISAKMP (0:134217734): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
Jul 19 12:50:48.145: ISAKMP: set new node -46235277 to QM_IDLE
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): processing HASH payload. message ID = -46235277
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -46235277, sa = 64F91240
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):deleting node -46235277 error FALSE reason "Informational (in) state 1"
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):DPD/R_U_THERE received from peer 1.1.1.1, sequence 0x4BD2106F
Jul 19 12:50:48.145: ISAKMP: set new node 32334157 to QM_IDLE
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1886462640, message ID = 32334157
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): seq. no 0x4BD2106F
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):purging node 32334157
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
... every few minutes. It doesn't seem to be regular: 12:50:48, 12:53:00, 13:04:04, 13:07:36...even though the keepalive is set to 10 seconds. Not sure why that is.
When it "drops", there's no logging and when it reestablishes there's nothing either. Which seems to suggest it's not actually dropping..... but when I remove the IPSec tunnel, I don't get the problem. So it must be something to do with it. -
Ipsec tunnel c7204vxr to c1941isr
I have a site ipsec tunnel between a c7204vxr and a c1941isr. The tunnel is established successfully but I am noticing packet drops on the ingress to the c7204 from the c1941. Specifically, there is an ssl website that is being accessed that is behind the 1941. When a node from behind the 7204 is accessing it, 27 packets traverse successfully from the 7204 to the 1941. On the return, 38 packets are sent from the 1941 and only 21 make it to the 7204(this is determined from tracking acl hit counts placed at inside interfaces of the 1941 and 7204). The log at the 7204 shows even less packets then that arrived(only two). The c7204 ios does not have ability for ip inspect log drop-pkt. The crypto acl is a full ip acl(access-list 105 permit ip <net> <mask> <net> <mask>). There are no other firewalls or natting happening between the endpoints. I can ping nodes on both sides of the tunnel successfully with no loss or drops. A packet capture of the access attempt shows the node behind the 1941 continually sending tls, ssl, and tcp packets to the node behind the 7204 without response. What other tools could be used to interrogate this?
Try doing a Embedded packet capture for ESP packets on the Wan interfaces of the routers and do a ping test. Use ICMP packets of specific size and then extract the captures and check for the packets that are a little bigger than the size of packets you have sent.
Then you can count them to see if all the packets of those size are being received. If the count is less then there is a ESP packet loss on the ISP path. -
IPSEC tunnel with NAT and NetMeeting
I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
Thanks,The following doc should help...
http://www.cisco.com/warp/public/707/ipsecnat.html -
I've got two ASA5510's, I have SITE-A and SITE-B
SITE-A connects to the INTERNET on one circuit and an MPLS circuit on different interfaces on the router.
SITE-B connects to the INTERNET and MPLS on the same circuit.
My outside interface on the ASA at SITE-A has a public address of: 1.2.3.4. On the router, it NAT's that address to 10.25.25.5/29 when going out the MPLS interface.
At SITE-B, the outside interface on the ASA is 10.25.25.13/30 which has public ip address 4.3.2.1 nat'ed to it.
Currently, I am able to create two distinct (one at a time) tunnels which route the appropriate traffic through them. One tunnel is done completely over the MPLS circuit from site to site. The other tunnel goes out of SITE-A's internet connection, and jumps on the MPLS providers public network, then onto the MPLS network to get to SITE-B.
These both work marvelously. I am trying to accomplish haveing the IPSEC tunnel go over the MPLS circuit by default, but in the event that SITE-A loses MPLS connectivity, the tunnel will go over the internet.
These tunnels are currently landing on the ASA's and are not originating or landing on the routers, so I can't use (that I know of) routing on the router to determine which site to connect to.
TUNNEL-A = 10.25.25.5 to 10.25.25.13
TUNNEL-B = 1.2.3.4 to 4.3.2.1
Any information, or advice about this configuration would be greatly appreciated.
Thank you.I don't know if this will solve your issue, but have you tried static route tracking?
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Maybe you are looking for
-
Hello all, I created a table element which contains a column of check boxes. I want to add to my table an option to check/uncheck all the check boxes. I already created the events but I dont know how to call the events I created using the table? Than
-
Unicode with Crystal Report for VS 2010
Dear, Please help me, I have a big problem with Khmer Unicode to preview in Crystal Report IV 4.0 for Visual Studio 2010. (I mean that it shows incorrect fonts), but when I use VS 2008, I always use CRAXTTRD.dll to render Khmer Unicode font, and In t
-
Custom Datasource using View COVJ - R8359 Invalid extract structure
I'm trying to build a custom datasource so I can get at plan line item data with partner object (I've tried using 0CO_OM_CCA_1 but I dont get the partner object for plan data - no idea why). So I thought if I create a datasource using COVJ I can get
-
I tried to update my ipad air from IOS 7.0.4 to 7.1 on iTunes. I clicked download and update, it started to download normally but when download finished iTunes shows error that "The software for the iphone was corrupted during download". How can I fi
-
How to set the default maximum size for java's heap?
Hi! Im trying to set the default max size for the java heap - but not from the command line. I would like to set it higher as default on my computer.. how can I do that? thanks!