ASA 5505 Site to Site VPN problem

Unanswered Question
Feb 8th, 2008
User Badges:

I am setting up a VPN tunnel with an external client to ftp onto a server at their end. We are using an ASA 5505 at our end, they are using a Nokia IP530 at their end. We have a router on external ip 193.1.1.1 which simply acts as a passthrough with no nat config. Our ASA is on external ip 193.1.2.1 and internally 192.168.254.251. Their firewall is on external ip 62.n.n.n and their ftp server is 192.168.12.12. Our 193.1.2.n subnet is specified in our router as a secondary subnet, and we have a route outside command to the router in our ASA config.

We are unable to ping their ftp server and they are unable to ping us.

The ASA config is below. Is there anything wrong with our config, or is the problem likely at their end? Is there anything we could try?


: Saved

:

ASA Version 7.2(3)

!

hostname threshold

domain-name ourdomain.com

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.254.251 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 193.1.2.1 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name ourdomain.com

access-list outside_20_cryptomap extended permit ip 192.168.254.0 255.255.255.0 host 192.168.12.12

access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 host 192.168.12.12

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

monitor-interface inside

monitor-interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 193.1.1. 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.254.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set peer 62.n.n.n

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.254.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!


!

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

!

tunnel-group 62.n.n.n type ipsec-l2l

tunnel-group 62.n.n.n ipsec-attributes

pre-shared-key *

isakmp keepalive disable

prompt hostname context

Cryptochecksum:xxx

: end

asdm image disk0:/asdm-523.bin

no asdm history enable



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fortis123 Fri, 02/08/2008 - 07:09
User Badges:

Hi,


First checks...

do you have the communication between the ASA and the router on your end..? from the configs..

ASA Vlan2:193.1.2.1 255.255.255.248

route outside 0.0.0.0 0.0.0.0 193.1.1.1


Looks like there is an issue.


Also, is the Vtunnel up..? check regular 'show' commands and see the tunnel status.


Post them, and someone definitely will lookinto that and suggest the solution.


hth

MS




resourcepensions Tue, 02/12/2008 - 08:09
User Badges:

hi, thanks for your response.

yes we have communication between the ASA and the router at our end.

We have changed the Vlan2 ip address so it is now on the same subnet as our router (ie ASA Vlan2:193.1.1.2).

The VPN tunnel comes up but we are unable to ping the other side 192.168.12.12. Just one strange thing is we are seeing non-routable address 192.168.12.12 on the outside interface when sending ping command.


fortis123 Tue, 02/12/2008 - 09:38
User Badges:

make sure that the IP range you are trying to reach via VPN tunnel, are NOT natted. Also, the add them properly to ACL mapping to outside interface crypto.


If possible, please post the configs (without any password)


hth

MS


resourcepensions Wed, 02/13/2008 - 03:01
User Badges:

thanks for this help. i have changed my config around a bit, and have posted the updated config below.

The VPN seems to be up, and I am now able to ftp which is the main reason for the VPN. However, I am still unable to ping 192.168.12.12. When we ping we are still seeing the non-routable address 192.168.12.12 on the outside address.


:

ASA Version 7.2(3)

!

hostname threshold

domain-name resourcepensions.com

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.254.251 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.y.z.116 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport monitor Ethernet0/0

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name resourcepensions.com

access-list outside_1_cryptomap extended permit ip 192.168.254.0 255.255.255.0 host 192.168.12.12

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

monitor-interface inside

monitor-interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list outside_1_cryptomap

route outside 0.0.0.0 0.0.0.0 x.y.z.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.254.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer a.b.c.240

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.254.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!


!

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

!

tunnel-group a.b.c.240 type ipsec-l2l

tunnel-group a.b.c.240 ipsec-attributes

pre-shared-key *

isakmp keepalive disable

prompt hostname context

Cryptochecksum:xxx

: end

asdm image disk0:/asdm-523.bin

no asdm history enable



cisco24x7 Wed, 02/13/2008 - 04:13
User Badges:
  • Silver, 250 points or more

I've setup about 100+ site-2-site VPN between Cisco IOS/Pix/VPNc

and Nokia/Checkpoint. I would ask the following question:


1- The Nokia IP530, what is the IPSO version? "uname -a"

2- Is it running Checkpoint or native IPSec?

3- If it is running checkpoint, which version, NGx, NG with

Application Intelligence, NG Feature Pack x, etc..

4- What is the level of checkpoiint Hot Fix Accummulator HFA

running on the Nokia? "fw ver"

5- Is the VPN defined as "simplified" or "traditional" mode?

6- What is the IPSec phase I and phase II timeout setting on the

Nokia? you need to make sure that it matches on both sides

7- Does the Nokia only have 192.168.12.12 in its "local encryption

domain" group-object? If it has 192.168.12.0/24 and 192.168.12.12,

checkpoint, by default, will send 192.168.12.0/24 to the ASA

and you will fail phase II, Quick Mode (QM). I am suspecting

that this is the case,


Solution:


1- "debug crypto isakmp" and "debug crypto ipsec" on the ASA

2- on the Nokia:

a- if you're running NGx, you can specify the NGx to match it

"per host". That I think will fix your issue

b- on the Nokia Enforcement Module, run "vpn debug ikeoff" and

"vpn debug ikeon". That will turn on debug for VPN. The output

file will be in $FWDIR/log/ike.elg.

c- use IKEView.exe to look at the file. Checkpoint is really

good at telling you exactly at which stage your VPN negotiation

fails.


Your configuration, I just glanced through it, looks fine. I am

suspecting that the issue is checkpoint suppernetting the network

on phase II, thus failing the tunnel


CCIE Security

fortis123 Wed, 02/13/2008 - 13:33
User Badges:

Hi,


Please go through my query ...

L2L IPsec tuneel configuration link (through CLI) between 2ASAs

one of our member posted the config smaple. It is very good. Please make sure tou have the correct permissions on the remote site.

hth

MS

Actions

This Discussion