03-31-2008 08:44 AM - edited 02-21-2020 03:38 PM
Hi All... I'm having a strange problem.
We recently migrated all of our Lan to Lan VPNs from a 7206 with an ISA card over to our ASA 5520 firewalls. There are just a handful of users that are experiencing a strange issue.
We use Cisco VoIP and our employees have an IP phone that they use over the VPN. With the old setup with the VPNs connecting to the 7206, we never had any issues, it was rock solid and always worked. Ever since we migrated to the ASA, the phones spend probably 90% of the time trying to reregister with Call Manager (10.1.100.0 or 10.1.101.0). Also, some are able to make and recieve calls just fine, while a few others can hear the other people, but they can't talk to people. I wonder if somthing isn't messed up with the nat exclusion? They also have problems with SAs that time out. Example: VPN host: 10.200.218.101 has an SA with 10.220.22.0 and 10.1.1.0.... When 10.220.22.0 times out, the only way to get that SA to come back up again is to reset the VPN connection. It's weird. All of the PIXs have the same config, just the 10.200.x.0 ip is changed. Many of them are behind nat devices (home routers etc), but this was never a problem before with the 7206 setup.
Below is the config for the ASA as well as the 7206 for a sort of Before and After comparision. I will attach a PIX501 config in a seperate post.
Another issue... when we migrated to the ASAs for the VPNs, I implemented EasyVPN on as many remote PIXs as possible (about 90 or so). There are a few that will just randomly not connect to the ASA. The ASA will show the peer trying to connect, but will show a log entry similar to: Peer= <Ip>; no match found, removing peer. It will show that a few times, then all of a sudden Phase 1 will complete and all will be fine. Any ideas what could be causing that??
What a headache! I'd appreciate any help you could give. Thanks.
7206:
-----------------
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key <key> address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set tangoset esp-des esp-md5-hmac
!
crypto dynamic-map tangomap 10
set transform-set tangoset
qos pre-classify
!
crypto map tangotrans 10 ipsec-isakmp dynamic tangomap
!
!
interface FastEthernet0/0
description ...
bandwidth 100000
ip address ...
ip access-group 197 in
no ip redirects
no ip proxy-arp
rate-limit input access-group 196 128000 8000 8000 conform-action transmit exceed-action drop
rate-limit output access-group 196 128000 8000 8000 conform-action transmit exceed-action drop
ip route-cache flow
no ip mroute-cache
duplex full
speed 100
crypto map tangotrans
ASA 5520:
---------------
crypto ipsec transform-set mySET esp-3des esp-md5-hmac
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
crypto dynamic-map myDYN-MAP 5 set reverse-route
crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP
crypto map myMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
03-31-2008 08:45 AM
PIX 501 config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname
domain-name ...
clock timezone CST -6
clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit udp 10.200.218.0 255.255.255.0 10.0.0.0 255.0.0.0 range 16384 32767
access-list nonat permit ip 10.200.218.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 10.200.218.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list nonat permit ip 10.200.218.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list nonat permit ip 10.200.218.0 255.255.255.0 10.1.101.0 255.255.255.0
access-list nonat permit ip 10.200.218.0 255.255.255.0 10.4.5.0 255.255.255.0
access-list 101 permit udp 10.200.218.0 255.255.255.0 10.0.0.0 255.0.0.0 range 16384 32767
access-list 101 permit ip 10.200.218.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 101 permit ip 10.200.218.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 101 permit ip 10.200.218.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list 101 permit ip 10.200.218.0 255.255.255.0 10.1.101.0 255.255.255.0
access-list 101 permit ip 10.200.218.0 255.255.255.0 10.4.5.0 255.255.255.0
no pager
logging on
logging buffered warnings
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.200.218.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
snmp-server host inside 10.1.1.25 poll
no snmp-server location
no snmp-server contact
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set tangoset esp-3des esp-md5-hmac
crypto map tangomap 10 ipsec-isakmp
crypto map tangomap 10 match address 101
crypto map tangomap 10 set peer <>
crypto map tangomap 10 set transform-set tangoset
crypto map tangomap interface outside
isakmp enable outside
isakmp key <..> address <..> netmask 255.255.255.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 10.200.218.101-10.200.218.111 inside
dhcpd dns 10.1.1.20 10.1.1.23
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
12-23-2008 01:11 PM
Did you ever fix this?
12-23-2008 01:17 PM
Yes,
TAC informed me that the ASA's dont process the access lists the same way the 7206 does and can't open up SAs based on a range of Ports. Because of this, our old config would not work.
We changed the VPN config such that all 10.0.0.0/8 (our internal network) is encrypted and then applied a filter to a group-policy that's applied to the tunnel-group. Works great. The filter ACL works just like a normal ACL. It could potentially cause a little more overhead on the central ASA, but so far that's not been an issue.
Here's an example of what it looks like on the Hub ASA:
tunnel-group DefaultL2LGroup general-attributes
default-group-policy vpn-L2LFilter
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
group-policy vpn-L2LFilter internal
group-policy vpn-L2LFilter attributes
vpn-filter value vpn-L2LFilter
access-list vpn-L2LFilter remark L2L VPN User Filter.
access-list vpn-L2LFilter extended permit ip 10.200.192.0 255.255.192.0 10.1.1.0 255.255.255.0
access-list vpn-L2LFilter extended permit udp 10.200.192.0 255.255.192.0 10.0.0.0 255.0.0.0 range 16384 32767
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide