L2L VPN

Answered Question
Aug 31st, 2008
User Badges:

I Want to configure the ASA IOS Version 8.0 to connect to Juniper Netscreen with the below configuration using L2L VPN.


Peer IP address 78.93.0.7

Host IP address 213.184.187.200

Pre-shared key: ciscoVPN


Phase 1: preg2-3des-md5

phase 2: nopfs-esp-3des-md5


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
welaish77 Mon, 09/01/2008 - 20:38
User Badges:

I tried this example but the problem is that the other party says no connection is hits is coming and i cannot monitor the ASA to check the connection is up or not.

1) Check your "interesting traffic" acl's for hits.

2) Make sure you have the loacal to remote ip subnets in your "no-nat" acl/

issue the below commands


term mon


Debug crypto isakmp 20


Debug crypto ispec 20


Then try to initiate the VPN connection from your side and see what the debug tells you.


HTH>

welaish77 Tue, 09/02/2008 - 02:45
User Badges:

that was the output.


Sep 02 14:03:39 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Sep 02 14:03:39 [IKEv1]: IP = 78.93.0.6, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, IKE_DECODE RESENDING Message (msgid=0)with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 64

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 64

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, Information Exchange processing failed

Sep 02 14:03:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Sep 02 14:03:45 [IKEv1]: IP = 78.93.0.6, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

welaish77 Tue, 09/02/2008 - 02:58
User Badges:

this are my configuration the other side is accepting connections from other parties so i think it something in my configuration.


may be i am missing something.


access-list nonat permit ip 172.19.134.9 255.255.255.255 213.184.187.178 255.255.255.255

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

isakmp enable outside


Phase I.

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp key knowledge address 78.93.0.6 netmask 255.255.255.255

isakmp policy 10 lifetime 14400


Phase II.

crypto ipsec transform-set jnet_trans esp-3des esp-md5-hmac

crypto map jnet_map 10 set peer 78.93.0.6

crypto map jnet_map 10 set transform-set jnet_trans

crypto map jnet_map 10 match address nonat

crypto map jnet_map 10 ipsec-isakmp

crypto map jnet_map interface outside

welaish77 Mon, 09/08/2008 - 20:17
User Badges:

Andrew,


I am facing another problem in the VPN. how can i make the other side ping my host? or access service on a certain port?

Make the other side ping your host?? You tell them to ping your host?


You can apply an access-list that applies to the source traffic from the remote end to your local side and apply it to the inside interface on the "outbound" flow, you can base this on src ip - dest ip - src tcp/udp port - dst tcp/udp port.


HTH>

welaish77 Mon, 09/08/2008 - 22:45
User Badges:

:) yes i told them to ping but no reply.


also can you give me an example of the access-list and how to apply it on the inside interface on the "outbound" flow?


many thanks

When they ping - does the VPN tunnel come up? If the tunnel is already up can you see packets being decrypted on the IPSE SA?


If I wanted to allow say telent and smtp to 2 sepearate servers from a remote ip subnet of 172.16.1.0/24 to my internal ip subnet of 192.168.254.0/24 I would write:-


access-list filter-out-to-the-LAN extended permit tcp 172.16.1.0 255.255.255.0 192.168.254.1 255.255.255.0 eq 25

access-list filter-out-to-the-LAN extended permit tcp 172.16.1.0 255.255.255.0 192.168.254.2 255.255.255.0 eq 23

access-list filter-out-to-the-LAN extended deny ip 172.16.1.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list filter-out-to-the-LAN extended permit ip any any


access-group filter-out-to-the-LAN out interface inside



HTH>



welaish77 Tue, 09/09/2008 - 02:33
User Badges:

when i add the these configuration all the clients cannot access the webserver and the mail server stops recieving mails.


I will attach the configuration so you can tell me what is missing to be able the other VPN side to ping and access my server on port 9816.


thanks.



Attachment: 
welaish77 Tue, 09/09/2008 - 02:51
User Badges:

yes the tunnel is up.


an i can see. packets decryption

#pkts encaps: 1123, #pkts encrypt: 1123, #pkts digest: 1123

#pkts decaps: 1268, #pkts decrypt: 1268, #pkts verify: 1268


yes allow to the server 192.168.124.9 from 213.184.187.178.

You need to clear down the tunnel down and get them to try and initiate from there side.


Try the below:-


access-list filter-out-to-the-LAN extended permit tcp host 213.184.187.178 host 192.168.124.9 eq 9816

access-list filter-out-to-the-LAN extended permit icmp host 213.184.187.178 host 192.168.124.9 echo

access-list filter-out-to-the-LAN extended deny ip host 213.184.187.178 host 192.168.124.9

access-list filter-out-to-the-LAN extended permit tcp any any

access-list filter-out-to-the-LAN extended permit udp any any

access-list filter-out-to-the-LAN extended permit icmp any any



access-group filter-out-to-the-LAN out interface inside


HTH

welaish77 Tue, 09/09/2008 - 04:00
User Badges:

sorry they left the office i will have to wait till tommorrow to test. anyways i would like to offer you a job in Dubai are you interested?

welaish77 Wed, 09/10/2008 - 20:25
User Badges:

it did not work they are not able to ping or telnet on the host using port 9816. they also cannot make the connection up.

Have you debugged the ipsec session when they are trying to connect?


Does the applied access-list applied to the inside interface have any hits?


What debugges are available from the remote end?


What errors are the remote end seeing?


They need to confirm that the source and destination IP addresses & ICMP/TCP ports are configured correctly in the bidirectional VPN policy.


The fact you can intiate to them - but they cannot initiate to you, indicates an issue at their end.


HTH>

Marwan ALshawi Tue, 09/02/2008 - 04:28
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

by the way

in ur ACL no nat u have the source and distination as host IP

so only packet from host 172.19.134.9 going to host 213.184.187.178 will be included in the nat exmption and will bring up the vpn tunnel as well

any packet from the LAN pix side wil not !!

if u want to i would sugest u to make it source pix LAN network and distination Juniper LAN network in the nonat ACL


if helpful Rate

Actions

This Discussion