02-08-2008 02:55 AM
I am setting up a VPN tunnel with an external client to ftp onto a server at their end. We are using an ASA 5505 at our end, they are using a Nokia IP530 at their end. We have a router on external ip 193.1.1.1 which simply acts as a passthrough with no nat config. Our ASA is on external ip 193.1.2.1 and internally 192.168.254.251. Their firewall is on external ip 62.n.n.n and their ftp server is 192.168.12.12. Our 193.1.2.n subnet is specified in our router as a secondary subnet, and we have a route outside command to the router in our ASA config.
We are unable to ping their ftp server and they are unable to ping us.
The ASA config is below. Is there anything wrong with our config, or is the problem likely at their end? Is there anything we could try?
: Saved
:
ASA Version 7.2(3)
!
hostname threshold
domain-name ourdomain.com
enable password xxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.254.251 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 193.1.2.1 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name ourdomain.com
access-list outside_20_cryptomap extended permit ip 192.168.254.0 255.255.255.0 host 192.168.12.12
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 host 192.168.12.12
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 193.1.1. 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.254.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 62.n.n.n
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
tunnel-group 62.n.n.n type ipsec-l2l
tunnel-group 62.n.n.n ipsec-attributes
pre-shared-key *
isakmp keepalive disable
prompt hostname context
Cryptochecksum:xxx
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
02-08-2008 07:09 AM
Hi,
First checks...
do you have the communication between the ASA and the router on your end..? from the configs..
ASA Vlan2:193.1.2.1 255.255.255.248
route outside 0.0.0.0 0.0.0.0 193.1.1.1
Looks like there is an issue.
Also, is the Vtunnel up..? check regular 'show' commands and see the tunnel status.
Post them, and someone definitely will lookinto that and suggest the solution.
hth
MS
02-12-2008 08:09 AM
hi, thanks for your response.
yes we have communication between the ASA and the router at our end.
We have changed the Vlan2 ip address so it is now on the same subnet as our router (ie ASA Vlan2:193.1.1.2).
The VPN tunnel comes up but we are unable to ping the other side 192.168.12.12. Just one strange thing is we are seeing non-routable address 192.168.12.12 on the outside interface when sending ping command.
02-12-2008 09:38 AM
make sure that the IP range you are trying to reach via VPN tunnel, are NOT natted. Also, the add them properly to ACL mapping to outside interface crypto.
If possible, please post the configs (without any password)
hth
MS
02-13-2008 03:01 AM
thanks for this help. i have changed my config around a bit, and have posted the updated config below.
The VPN seems to be up, and I am now able to ftp which is the main reason for the VPN. However, I am still unable to ping 192.168.12.12. When we ping we are still seeing the non-routable address 192.168.12.12 on the outside address.
:
ASA Version 7.2(3)
!
hostname threshold
domain-name resourcepensions.com
enable password xxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.254.251 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.y.z.116 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport monitor Ethernet0/0
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name resourcepensions.com
access-list outside_1_cryptomap extended permit ip 192.168.254.0 255.255.255.0 host 192.168.12.12
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list outside_1_cryptomap
route outside 0.0.0.0 0.0.0.0 x.y.z.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.254.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer a.b.c.240
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
tunnel-group a.b.c.240 type ipsec-l2l
tunnel-group a.b.c.240 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
prompt hostname context
Cryptochecksum:xxx
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
02-13-2008 04:13 AM
I've setup about 100+ site-2-site VPN between Cisco IOS/Pix/VPNc
and Nokia/Checkpoint. I would ask the following question:
1- The Nokia IP530, what is the IPSO version? "uname -a"
2- Is it running Checkpoint or native IPSec?
3- If it is running checkpoint, which version, NGx, NG with
Application Intelligence, NG Feature Pack x, etc..
4- What is the level of checkpoiint Hot Fix Accummulator HFA
running on the Nokia? "fw ver"
5- Is the VPN defined as "simplified" or "traditional" mode?
6- What is the IPSec phase I and phase II timeout setting on the
Nokia? you need to make sure that it matches on both sides
7- Does the Nokia only have 192.168.12.12 in its "local encryption
domain" group-object? If it has 192.168.12.0/24 and 192.168.12.12,
checkpoint, by default, will send 192.168.12.0/24 to the ASA
and you will fail phase II, Quick Mode (QM). I am suspecting
that this is the case,
Solution:
1- "debug crypto isakmp" and "debug crypto ipsec" on the ASA
2- on the Nokia:
a- if you're running NGx, you can specify the NGx to match it
"per host". That I think will fix your issue
b- on the Nokia Enforcement Module, run "vpn debug ikeoff" and
"vpn debug ikeon". That will turn on debug for VPN. The output
file will be in $FWDIR/log/ike.elg.
c- use IKEView.exe to look at the file. Checkpoint is really
good at telling you exactly at which stage your VPN negotiation
fails.
Your configuration, I just glanced through it, looks fine. I am
suspecting that the issue is checkpoint suppernetting the network
on phase II, thus failing the tunnel
CCIE Security
02-13-2008 01:33 PM
Hi,
Please go through my query ...
L2L IPsec tuneel configuration link (through CLI) between 2ASAs
one of our member posted the config smaple. It is very good. Please make sure tou have the correct permissions on the remote site.
hth
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide