11-16-2009 12:01 PM - edited 03-06-2019 08:37 AM
I have the following information to create a tunnel....
Our endpoint is: 66.179.80.108
Our network is: 192.168.50.0 (255.255.255.0)
will need to make ACL from 172.38.14.8 to hosts192.168.50.83, 192.168.50.86, 192.168.50.50, and 192.168.50.85
clinic will need to NAT interesting traffic to 172.38.14.0 255.255.255.0
Phase 1
Authentication: Pre-Shared
Encryption: 3DES
Hash: SHA
DH: 1
Lifetime: 86400 sec
Pre-shared Key: XXXXXXXXXXX
Phase2
ESP encryption 3DES
ESP authentication
Lifetime 28800
I found a script for this specific tunnel. It complains about syntax in a couple spaces:
! add these lines to the access list you use for traffic coming
! in to your public interface. change the access list name of
! "outside_in" to whatever you use
access-list outside_in extended permit esp host 66.179.80.108 host 68.16.141.194
access-list outside_in extended permit ah host 66.179.80.108 host 68.16.141.194
access-list outside_in extended permit ip host 66.179.80.108 host 68.16.141.194
access-list outside_in extended permit gre host 66.179.80.108 host 68.16.141.194
access-group outside_in in interface outside
! this says "do not NAT between our networks"
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.1.0 255.255.255.0
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.83
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.50
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.86
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.85
crypto isakmp identify address
crypto isakmp policy 1 authentication pre-share
crypto isakmp policy 1 encryption 3des
crypto isakmp policy 1 hash sha
crypto isakmp policy 1 group 1
crypto isakmp policy 1 lifetime 86400
crypto ipsec transform-set ASA5505 esp-des esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto map PIX 10 match address PIXMAP
crypto map PIX 10 set peer 66.179.80.108
crypto map PIX 10 set transform-set ASA5505
crypto map PIX 10 set security-association lifetime seconds 28800
crypto map PIX interface outside
pre-shared-key XXXXXXXXXXXX
tunnel-group 66.179.80.108 type ipsec-l2l
tunnel-group 66.179.80.108 ipsec-attributes
Phase 1 completes (i think) and phase 2 errors as so...
1 Nov 16 2009 07:26:35 713900 Group = 66.179.80.108, IP = 66.179.80.108, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
3 Nov 16 2009 07:26:35 713902 Group = 66.179.80.108, IP = 66.179.80.108, Removing peer from correlator table failed, no match!
Thanks in advance for the omnipotent wisdom of the Cisco Gurus!
11-16-2009 12:32 PM
Matt
If this is a pix then you do not need the following lines in the acl on the outside interface -
access-list outside_in extended permit esp host 66.179.80.108 host 68.16.141.194
access-list outside_in extended permit ah host 66.179.80.108 host 68.16.141.194
access-list outside_in extended permit ip host 66.179.80.108 host 68.16.141.194
access-list outside_in extended permit gre host 66.179.80.108 host 68.16.141.194access-list outside_in extended permit esp host 66.179.80.108 host 68.16.141.194
access-list outside_in extended permit ah host 66.179.80.108 host 68.16.141.194
access-list outside_in extended permit ip host 66.179.80.108 host 68.16.141.194
access-list outside_in extended permit gre host 66.179.80.108 host 68.16.141.194
Can you also clarify exactly what addressing you want to use. You have a crypto map acl that says -
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.83
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.50
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.86
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.85
and yet in your opening sentences you say -
"will need to make ACL from 172.38.14.8 to hosts192.168.50.83, 192.168.50.86, 192.168.50.50, and 192.168.50.85"
so where does 172.38.14.8 come into it ?
Jon
11-16-2009 12:36 PM
Thanks for the response!
This device is an ASA 5505
The tunnel is a host to host tunnel that will only be allowed to communicate between 192.168.1.8 (my side) and 192.168.50.83,85,86,and 50 (remote side)
172.38.14.8 is the address that the remote endpoint is expecting to see all traffic coming from.
According to the 3rd party 172.38.14.8 is the only address they will accept traffic from.
Thanks!
11-16-2009 12:50 PM
Matt
Right, then you don't need those lines on the outside acl.
Then, you are doing a NAT exemption for the VPN but the 3rd party wants you to NAT so you need to update your config -
1) Change -
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.83
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.50
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.86
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.85
to
access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.83
access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.50
access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.86
access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.85
2) You then need to NAT your source address(es) to 172.38.14.8 if they are going to 192.168.50.x addressing. You only have one source address in your example ie. 192.168.1.8 so we'll use that
First you need to remove these 2 lines because you actually do want to NAT -
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.1.0 255.255.255.0
then we need an acl to define which traffic to NAT
access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.83
access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.50
access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.86
access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.85
static (inside,outside) 172.38.14.8 access-list PNAT
Can you make the above changes and then retest.
Jon
11-16-2009 01:00 PM
Result of the command: "! add these lines to the access list you use for traffic coming"
The command has been sent to the device
Result of the command: "! in to your public interface. change the access list name of"
The command has been sent to the device
Result of the command: "! "outside_in" to whatever you use"
The command has been sent to the device
Result of the command: "access-list outside_in extended permit esp host 66.179.80.108 host 68.16.141.194"
WARNING:
Result of the command: "access-list outside_in extended permit ah host 66.179.80.108 host 68.16.141.194"
WARNING:
Result of the command: "access-list outside_in extended permit ip host 66.179.80.108 host 68.16.141.194"
WARNING:
Result of the command: "access-list outside_in extended permit gre host 66.179.80.108 host 68.16.141.194"
WARNING:
Result of the command: "access-group outside_in in interface outside"
The command has been sent to the device
Result of the command: "! this says "do not NAT between our networks""
The command has been sent to the device
Result of the command: "access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0"
WARNING:
Result of the command: "access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.83"
The command has been sent to the device
Result of the command: "access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.50"
The command has been sent to the device
Result of the command: "access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.86"
The command has been sent to the device
Result of the command: "access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.85"
The command has been sent to the device
Result of the command: "static (inside,outside) 172.38.14.8 access-list PNAT"
ERROR: mapped-address conflict with existing static
inside:192.168.1.8 to outside:172.38.14.8 netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
{
{
[dns]
[[tcp]
[udp
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{
{
{access-list
[dns]
[[tcp]
[udp
show running-config [all] static [
clear configure static
Result of the command: "access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.83"
The command has been sent to the device
Result of the command: "access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.50"
The command has been sent to the device
Result of the command: "access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.86"
The command has been sent to the device
Result of the command: "access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.85"
The command has been sent to the device
Result of the command: "crypto isakmp identify address"
crypto isakmp identify address
^
11-16-2009 01:00 PM
ERROR: % Invalid input detected at '^' marker.
Result of the command: "crypto isakmp policy 1 authentication pre-share"
The command has been sent to the device
Result of the command: "crypto isakmp policy 1 encryption 3des"
The command has been sent to the device
Result of the command: "crypto isakmp policy 1 hash sha"
The command has been sent to the device
Result of the command: "crypto isakmp policy 1 group 1"
The command has been sent to the device
Result of the command: "crypto isakmp policy 1 lifetime 86400"
The command has been sent to the device
Result of the command: "crypto ipsec transform-set ASA5505 esp-des esp-sha-hmac"
The command has been sent to the device
Result of the command: "crypto ipsec df-bit clear-df outside"
The command has been sent to the device
Result of the command: "crypto map PIX 10 match address PIXMAP"
The command has been sent to the device
Result of the command: "crypto map PIX 10 set peer 66.179.80.108"
The command has been sent to the device
Result of the command: "crypto map PIX 10 set transform-set ASA5505"
The command has been sent to the device
Result of the command: "crypto map PIX 10 set security-association lifetime seconds 28800"
The command has been sent to the device
Result of the command: "crypto map PIX interface outside"
The command has been sent to the device
Result of the command: "pre-shared-key CrmEF8c3BZPUSYNsq8q7"
pre-shared-key CrmEF8c3BZPUSYNsq8q7
^
ERROR: % Invalid input detected at '^' marker.
Result of the command: "tunnel-group 66.179.80.108 type ipsec-l2l"
tunnel-group 66.179.80.108 type ipsec-l2l
^
ERROR: % Invalid input detected at '^' marker.
Result of the command: "tunnel-group 66.179.80.108 ipsec-attributes"
The command has been sent to the device
I still have the same errors with phase 2.... Thanks again for the hand holding!
11-16-2009 01:04 PM
Matt
Are you using ASDM or are you using the CLI ?.
The config changes i sent would require you to remove some bits.
Can you post the current config you are using.
Jon
11-16-2009 01:12 PM
I am using the command line interface from the ASDM. Below is the result of show startup-config
: Saved
: Written by enable_15 at 09:32:05.797 UTC Mon Nov 16 2009
!
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password BARXKS2hn1aBh6hZ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 68.16.141.194 PublicIP
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group att
ip address PublicIP 255.255.255.255 pppoe setroute
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service RDP tcp
port-object eq 3389
object-group network remote-vpn-hosts
network-object host 192.168.50.50
network-object host 192.168.50.83
network-object host 192.168.50.86
access-list outside_access_inside extended permit ip any any
access-list outside_access_inside extended permit tcp any host PublicIP eq 3389
access-list Sayani_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.38.14.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.38.14.0 255.255.255.0
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.83
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.50
access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.86
access-list outside_in extended permit esp host 66.179.80.108 host PublicIP
access-list outside_in extended permit ah host 66.179.80.108 host PublicIP
access-list outside_in extended permit ip host 66.179.80.108 host PublicIP
access-list outside_in extended permit gre host 66.179.80.108 host PublicIP
access-list cryptomap_acl extended permit ip host 172.38.14.8 object-group remote-vpn-hosts
access-list static-vpn1 extended permit ip host 192.168.1.8 object-group remote-vpn-hosts
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Sayani_Pool 192.168.1.220-192.168.1.225 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 10 192.168.1.8
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.8 3389 netmask 255.255.255.255
static (inside,outside) 172.38.14.8 access-list static-vpn1
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
11-16-2009 01:12 PM
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ASA5505 esp-3des esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map PIX 10 match address PIXMAP
crypto map PIX 10 set pfs group1
crypto map PIX 10 set peer 66.179.80.108
crypto map PIX 10 set transform-set ESP-3DES-SHA
crypto map PIX interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
vpdn group att request dialout pppoe
vpdn group att localname internalmedicinelc@att.net
vpdn group att ppp authentication pap
vpdn username internalmedicinelc@att.net password jkk843 store-local
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
!
group-policy Sayani internal
group-policy Sayani attributes
dns-server value 192.168.1.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Sayani_splitTunnelAcl
default-domain value DSIM.local
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs enable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username sayani password rAVpdpP7rbTdd3qu encrypted privilege 15
username sayani attributes
vpn-group-policy Sayani
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group Sayani type ipsec-ra
tunnel-group Sayani general-attributes
address-pool Sayani_Pool
default-group-policy Sayani
11-16-2009 01:12 PM
tunnel-group Sayani ipsec-attributes
pre-shared-key *
tunnel-group 66.179.80.108 type ipsec-l2l
tunnel-group 66.179.80.108 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e47508892c1737bc0732ecd1807c72ab
11-16-2009 01:19 PM
Matt
Think your getting the PNAT message because you have this -
static (inside,outside) tcp interface 3389 192.168.1.8 3389 netmask 255.255.255.255
so you are already natting 192.168.1.8 to the outside interface address.
As for the rest i'm not that good with ADSM, i just use the CLI. So you need to remove and then replace ie.
no access-list PIXMAP
then
access-list PIXMAP permit ip 172.38.14.8 .... etc.
Jon
11-16-2009 12:54 PM
Matt
Apologies, quick update. I said remove -
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.1.0 255.255.255.0
don't do that :-)
You need to remove these 2 lines -
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
nat (inside) 0 access-list NONAT
Jon
11-16-2009 01:27 PM
Result of the command: "! add these lines to the access list you use for traffic coming"
The command has been sent to the device
Result of the command: "! in to your public interface. change the access list name of"
The command has been sent to the device
Result of the command: "! "outside_in" to whatever you use"
The command has been sent to the device
Result of the command: "access-list outside_in extended permit esp host 66.179.80.108 host 68.16.141.194"
WARNING:
Result of the command: "access-list outside_in extended permit ah host 66.179.80.108 host 68.16.141.194"
WARNING:
Result of the command: "access-list outside_in extended permit ip host 66.179.80.108 host 68.16.141.194"
WARNING:
Result of the command: "access-list outside_in extended permit gre host 66.179.80.108 host 68.16.141.194"
WARNING:
Result of the command: "access-group outside_in in interface outside"
The command has been sent to the device
Result of the command: "! this says "do not NAT between our networks""
The command has been sent to the device
Result of the command: "nat (inside) 1 192.168.1.0 255.255.255.0"
Duplicate NAT entry
Result of the command: "access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.83"
WARNING:
On Mon, Nov 16, 2009 at 4:24 PM, Matt Bilbrey <matt@uc3.biz> wrote:
! add these lines to the access list you use for traffic coming
! in to your public interface. change the access list name of
! "outside_in" to whatever you use
access-list outside_in extended permit esp host 66.179.80.108 host 68.16.141.194
access-list outside_in extended permit ah host 66.179.80.108 host 68.16.141.194
access-list outside_in extended permit ip host 66.179.80.108 host 68.16.141.194
access-list outside_in extended permit gre host 66.179.80.108 host 68.16.141.194
access-group outside_in in interface outside
! this says "do not NAT between our networks"
nat (inside) 1 192.168.1.0 255.255.255.0
access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.83
access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.50
access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.86
access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.85
static (inside,outside) 172.38.14.8 access-list PNAT
access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.83
access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.50
access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.86
access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.85
crypto isakmp identify address
crypto isakmp policy 1 authentication pre-share
crypto isakmp policy 1 encryption 3des
crypto isakmp policy 1 hash sha
crypto isakmp policy 1 group 1
crypto isakmp policy 1 lifetime 86400
crypto ipsec transform-set ASA5505 esp-des esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto map PIX 10 match address PIXMAP
crypto map PIX 10 set peer 66.179.80.108
crypto map PIX 10 set transform-set ASA5505
crypto map PIX 10 set security-association lifetime seconds 28800
crypto map PIX interface outside
pre-shared-key CrmEF8c3BZPUSYNsq8q7
tunnel-group 66.179.80.108 type ipsec-l2l
tunnel-group 66.179.80.108 ipsec-attributes
I am still getting the same "no spi to identify phase 2 sa" error
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide