03-07-2008 10:38 PM - edited 02-21-2020 01:56 AM
I've used many SW devices to setup remote locations with Site2Site VPNs and had everything working well. I replaced one of the SW's with an ASA5505.
All of the sample configs I've seen use Main Mode (both ends have static IPs). In my case the PRO2040 is static and the ASA is DHCP.
I almost have the VPN setup but I am hitting one problem. Phase 1 completes but Phase 2 complains of a network mismatch. The log on the SW says this "IKE Responder: Peer's local network does not match VPN policy's Destination Network" ... "Proposed network: 1.2.3.4". The IP listed is the DHCP assigned IP of the outside interface on the ASA.
I've checked the settings in the cryptomap 50 times and I'm sure it's correct. The remote network is the inside network of the PRO2040. The local network is the inside network on the ASA.
Does anyone have any suggestions? If I get this working I'll post a complete HOW-TO.
03-09-2008 09:00 AM
Found the problem. Everything is working with this tunnel.
03-01-2010 09:06 AM
Hi,
Could you tell me what have you done to fix it??
I have the same setup and the exact same poblem.
Thank you!
03-01-2010 09:52 AM
In my case the SonicWall had a static IP and the 5505 got its IP via DHCP. Here's the relevant config from my 5505 that works with my setup. I'm going to define some names to make things more readable.
hostname asa5505
domain-name mydomain.com
name 10.10.10.0 inside-network description Internal network on 5505
name 10.10.12.0 remote-office description Internal network on PRO2040
access-list outside_cryptomap_1 extended permit ip inside-network 255.255.255.0 remote-office 255.255.255.0
03-01-2010 10:33 AM
First of all i want to thank you!
It makes total sens, but i'm not sure how to apply it
i have this in my config:
access-list inside_nat0_outbound extended permit ip 192.168.210.0(local ASA network) 255.255.255.0 172.50.0.131(Remote Sonicwall network) 255.255.255.255
global (outside) 1 interface
nat (inside) 1 access-list inside_nat0_outbound
Thank you, your help is greatly appreciated.
My ASA Config
interface Vlan1
nameif inside
security-level 100
ip address 192.168.210.251 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X"X"X"X X'X'X'X'X
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
domain-name voltige.biz
same-security-traffic permit inter-interface
access-list ICMPACL extended permit icmp any any
access-list ICMPACL extended permit icmp any any time-exceeded
access-list ICMPACL extended permit icmp any any unreachable
access-list ICMPACL extended permit icmp any any echo-reply
access-list TUNNEL extended permit ip 192.168.210.0 255.255.255.0 host 172.50.0.131
access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 host 172.50.0.131
pager lines 24
logging enable
logging monitor emergencies
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list inside_nat0_outbound
access-group ICMPACL in interface outside
route outside 0.0.0.0 0.0.0.0 70.159.184.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.210.0 255.255.255.0 inside
snmp-server host inside 192.168.210.57 community public
snmp-server location tour1
snmp-server contact jean-francis
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
crypto ipsec transform-set Bang-Transform-Set esp-aes-192 esp-sha-hmac
crypto map Tunnel-Map 1 match address ovation
crypto map Tunnel-Map 1 set connection-type originate-only
crypto map Tunnel-Map 1 set peer 123.123.123.1
crypto map Tunnel-Map 1 set transform-set Bang-Transform-Set
crypto map Tunnel-Map 1 set phase1-mode aggressive
crypto map Tunnel-Map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 192.168.210.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
username admin password sdgsgdsdgsdgsd encrypted privilege 15
tunnel-group 123.123.123.1 type ipsec-l2l
tunnel-group 123.123.123.1 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2a3693d654aa3a05cb78ea3efe63b132
: end
03-01-2010 11:09 AM
I believe your problem is with these statements:
access-list TUNNEL extended permit ip 192.168.210.0 255.255.255.0 host 172.50.0.131
access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 host 172.50.0.131
access-list TUNNEL extended permit ip 192.168.210.0 255.255.255.0 172.50.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 172.50.0.0 255.255.255.0
03-01-2010 11:41 AM
Yes it was set with a static Ip For Troubleshooting only..
I'm curious how you state you Nat comands. Could you Post it?
The reason why the ACL are like this is behind the SonicWall there is only one Host configured.
the Phase 2 of my Vpn fails the same way as your scenario.. The ASA is DHCP aggressive and the Sonic Wall receive an error like this(Look at the PNG).
---the Sonic wall sees The ASA public Ip as the Proposed Network....
Here is the correct Running-config:
ASA Version 7.2(4)
!
hostname ASA5505
domain-name mydomain.biz
enable password fgsdgfsdfds encrypted
passwd fsdgdfgsdgdfsgfencrypted
multicast-routing
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.210.251 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
domain-name voltige.biz
same-security-traffic permit inter-interface
access-list ICMPACL extended permit icmp any any
access-list ICMPACL extended permit icmp any any time-exceeded
access-list ICMPACL extended permit icmp any any unreachable
access-list ICMPACL extended permit icmp any any echo-reply
access-list ovation extended permit ip 192.168.210.0 255.255.255.0 host 172.50.0.131
access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 host 172.50.0.131
pager lines 24
logging enable
logging monitor emergencies
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.210.0 255.255.255.0
access-group ICMPACL in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.210.0 255.255.255.0 inside
snmp-server host inside 192.168.210.57 community public
snmp-server location tour1
snmp-server contact jean-francis
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
crypto ipsec transform-set Tunnel-Transform-Set esp-aes-192 esp-sha-hmac
crypto map Tunnel-Map 1 match address ovation
crypto mapTunnel-Map 1 set connection-type originate-only
crypto map Tunnel-Map 1 set peer 123.123.123.123
crypto map Tunnel-Map 1 set transform-set Bang-Transform-Set
crypto map Tunnel-Map 1 set phase1-mode aggressive
crypto map Tunnel-Map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 192.168.210.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
username admin password sdfdgvdvfdssd encrypted privilege 15
tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2a3693d654aa3a05cb78ea3efe63b132
: end
03-01-2010 12:19 PM
You're trying to setup a LAN-to-LAN VPN. The mismatch is because you're going LAN-to-Host but setting up the VPN as L2L. After you get the L2L tunnel up your can restrict traffic by setting firewall rules to deny all traffic except from our one host. Does that make sense?
03-01-2010 02:07 PM
I will try this.
Could you still post me your Nat config,
Thank you so much again!
03-01-2010 02:53 PM
It's a very simple config:
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
03-01-2010 03:25 PM
Ok, i setup the nat
What IKE id should i use on the sonicwall to identify the ASA
INSIDE IP address of the ASA: 192.168.210.251
OUTISE IP address of the ASA: 192.168.1.7
I Start to believe that the problem come from the Sonic wall configuration.
Thankyou!
03-01-2010 05:51 PM
One of my previous responses had a screenshot of the Sonicwall settings I used. On the Sonicwall I set
Local IKE ID: IP Address -- I set the address to the external IP of the Sonicwall.
Remote IKE ID: Domain Name -- I set the value to the FQDN of the ASA. The FQDN is derived from the "hostname" and "domain name" set in the ASA.
The config I posted for the ASA before sets similar values for the ASA.
03-11-2010 11:32 AM
IT'S more clear now!
Could you tel me how to find the FQDN of my asa?
Hostname:ASAVPN
Domainname:bang.biz
Will the FQDN be: ASAVPN.bang.biz ?
Thank you very much!
03-11-2010 01:37 PM
I tryed it and it work, the phase 1 complete.
I'm still having the problem of the Sonicwall getting the wrong network proposed(my ASA "Public'' IP wich is the ip of the network between the ASA and The DSL router)..
Here is the latest running-config:
Let me know what you think
: Saved
:
ASA Version 7.2(4)
!
hostname ASAVPNBang
domain-name ASAVPN.biz
enable password sadfhad##%TGRG encrypted
passwd SDGFA$### encrypted
multicast-routing
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.210.251 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone est -5
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
domain-name ASAVPN.biz
same-security-traffic permit inter-interface
access-list ICMPACL extended permit icmp any any
access-list ICMPACL extended permit icmp any any time-exceeded
access-list ICMPACL extended permit icmp any any unreachable
access-list ICMPACL extended permit icmp any any echo-reply
access-list VPNMAP extended permit ip 192.168.210.0 255.255.255.0 172.50.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 172.50.0.0 255.255.255.0
pager lines 24
logging enable
logging monitor emergencies
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.210.0 255.255.255.0
access-group ICMPACL in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.210.0 255.255.255.0 inside
snmp-server host inside 192.168.210.57 community public
snmp-server location tour1
snmp-server contact jean-francis
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
crypto ipsec transform-set Bang-Transform-Set esp-aes-192 esp-sha-hmac
crypto map Bang-Map 1 match address VPNMAP
crypto map Bang-Map 1 set connection-type originate-only
crypto map Bang-Map 1 set peer X.X.X.X (Sonicwall Public IP)
crypto map Bang-Map 1 set transform-set Bang-Transform-Set
crypto map Bang-Map 1 set phase1-mode aggressive
crypto map Bang-Map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 192.168.210.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
username admin password FasfDFDGFGasj encrypted privilege 15
tunnel-group X.X.X.X(Public ip of the SonicWall) type ipsec-l2l
tunnel-group X.X.X.X(Public ip of the SonicWall) ipsec-attributes
pre-shared-key *
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:035dec2d6db7446cc1a83a36cf156e6c
: end
03-10-2010 08:11 AM
Schappel had a few questions regarding your installation. I am in the process of connecting a remote site and the main office is protected with a sonic firewall. Wanted to know if you can contact me at jwronkowski@cypress-tech.net instead of clogging up the forum. Can post results after I figure out the best way to tackle the issue. thanks Joe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide