Solved: IPSEC / Crypto map configuration: Need to open firewall ports?

cindylee27 · ‎01-09-2008

Hi Experts,

I have the diagram below:

Server A -> A Firewall -> Router A <-> Router B <- B Firewall <- Server B

I am trying to do crypto map between Router A and B. There is NATed being done at both the firewall end.

Server A: 192.168.5.11

NATed at Firewall to 203.120.5.11

Server B: 172.16.16.11

NATed at Firewall to 203.123.16.11

I have done a permit access -list for 203.120.5.11 and 203.123.16.11 for the crypto map configuration.

But my question is whether i need to open any ports at the firewall end?

Currently the crypto not able to up.

Thanks.

Jon Marshall · ‎01-09-2008

Cindy

At the risk of making your headache worse :)

Phase 1 of your IPSEC is working fine.

The key bit out of your error file is

local_proxy= 172.26.128.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.23.184.0/255.255.255.0/0/0 (type=4),

Jan 9 08:32:45.649 GMT: IPSEC(validate_transform_proposal): proxy identities not supported

This is telling you that the routers disagree between what the local and remote networks are.

As you are Natting your servers to 203.x.x.x addressing these should not be the local and remote subnets.

Can you recheck your crypto map access-list and if still not clear post your router configs.

Jon

View solution in original post

Jon Marshall · ‎01-09-2008

Hi Cindy

If the IPSEC tunnel is between the 2 routers which it sounds as if it is then the answer is it depends :). As an example

Server A telnets to Server B.

1) Is there an access-list on the A firewall on the inside interface that might stop the traffic reaching router A.

2) If not can you confirm that the firewall is doing the NAT translation correctly.

3) Assuming 1 & 2 are okay is there a rule on firewall B that allows telnet traffic from ServerA to Server B.

If 3 is okay then no you should not have to open any more ports because the return traffic will be allowed as the ASA's are stateful firewalls.

If you are using something like ping between the 2 servers you may need additional access-list entries.

When you try to initiate a connection and you have

debug crypto isa

debug crypto ipsec

turned on on router A do you see anything ?

Jon

cindylee27 · ‎01-09-2008

Jon,

well the network layer is up.can ping without the crypto map configured and confirmed that the NAT working by pinging the nat ip.

headache now..

log as attached.

thanks!

Jon Marshall · ‎01-09-2008

Cindy

At the risk of making your headache worse :)

Phase 1 of your IPSEC is working fine.

The key bit out of your error file is

local_proxy= 172.26.128.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.23.184.0/255.255.255.0/0/0 (type=4),

Jan 9 08:32:45.649 GMT: IPSEC(validate_transform_proposal): proxy identities not supported

This is telling you that the routers disagree between what the local and remote networks are.

As you are Natting your servers to 203.x.x.x addressing these should not be the local and remote subnets.

Can you recheck your crypto map access-list and if still not clear post your router configs.

Jon

cindylee27 · ‎01-09-2008

Jon,

Great! Headache reduce tremendously..! :D

Put in the access list to any any..n yup,

you are right on the routers not agreeing on the local n remote networks..

i am there already..:) can see the encrpytion traffic already..thanks a lot!

Jon Marshall · ‎01-09-2008

Cindy

Glad to be of help and appreciate the rating.

Good advert for Netpro - better than headache pills :)

Jon