11-30-2009 05:17 AM
Dear all,
I am trying to setup a site to site vpn with a checkpoint utm edge firewall and having issues. I am creating an ipsec vpn and the first phase of the isakmp negotioan is completing successfully however it is failing on phase 2. I have fairly limited experience with this type of cisco device. Though I have created the basic security policies on it before and know my way araound the adsm interface. I have run the vpn site to site wizard and there was one part I was a little stuck on....
basically in step 5...
I assumed that the source ip address should be the LAN network address and the destination address should be the network address of the corresponding side (for me it would be 172.1.16.0/24). However I receive the following error message on the adsm...
Bare in mind I have set up nothing else (no acl's or nat etc). I am unsure of how to resolve this issue. If I can get this set up this then leads me to another question.
Ideally I want the vpn site to site to work between my dmz and the corresponding device. I am unsure of how I would set this up?
any help would be greatly greatly appreciated I am really struggling with this.
many thanks
Paul
11-30-2009 06:38 AM
Hi Paul-
Yes your private LAN would be the source and the other ends/ private LAN would be the destination networks. You will also need to create NATs. Can you post your config so far so we can help you the rest of the way?
11-30-2009 07:28 AM
many thanks for the quick reply!
I have hacked out all of our info out as much as possible. Hopefully its still legible! Where I have removed the public ip of the vpn I have added a note saying it is the sonicwall endpoint ip)
interface Ethernet0/0
nameif outside
security-level 0
ip address xxxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address xxxx
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address xxxx
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
access-list outside_1_cryptomap_1 extended permit ip 10.10.0.0 255.255.0.0 172.1.16.0 255.255.255.0
pager lines 24
logging enable
logging asdm-buffer-size 512
logging buffered errors
logging trap notifications
logging asdm warnings
logging host inside
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit host SWISP_Monitor outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 101 access-list DMZ_nat_outbound
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxxx
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer XXXXXXXX (Endpoint IP for sonicwall device)
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint Local-TP
enrollment self
crl configure
crypto isakmp enable outside
crypto isakmp enable DMZ
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value pool1
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group MyAuthGroupRad
authorization-server-group MyAuthGroupRad
default-group-policy xxxx
tunnel-group DefaultWEBVPNGroup webvpn-attributes
hic-fail-group-policy xxxx
group-alias group1 enable
tunnel-group test1 type ipsec-ra
tunnel-group test1 general-attributes
address-pool pool1
authentication-server-group MyAuthGroupKerb
authorization-server-group MyAuthGroupLDAP
default-group-policy test1
tunnel-group test1 ipsec-attributes
pre-shared-key *
tunnel-group test1 ppp-attributes
authentication ms-chap-v2
tunnel-group Test_radius type ipsec-ra
tunnel-group Test_radius general-attributes
authentication-server-group MyAuthGroupRad
authorization-server-group MyAuthGroupRad
password-management password-expire-in-days 3
tunnel-group Test_radius ipsec-attributes
pre-shared-key *
tunnel-group Test_radius ppp-attributes
no authentication chap
no authentication ms-chap-v1
tunnel-group xxxx type ipsec-ra
tunnel-group xxxx general-attributes
authentication-server-group MyAuthGroupRad
authorization-server-group MyAuthGroupRad
password-management password-expire-in-days 2
tunnel-group xxxx ipsec-attributes
pre-shared-key *
tunnel-group xxxx ppp-attributes
no authentication chap
no authentication ms-chap-v1
tunnel-group xxxx( endpoint ip of sonicwall) type ipsec-l2l
tunnel-group (endpoint ip of sonicwall) ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server xxxxx
prompt hostname context
Cryptochecksum:13c19db74ba92a86e0c747451a0807e9
: end
asdm image disk0:/asdm-524.bin
asdm location SWISP_Monitor 255.255.255.255 inside
2 255.255.255.255 inside
no asdm history enable
11-30-2009 08:02 AM
Can you post the following ACLs?
inside_nat0_outbound
outside_1_cryptomap_1
DMZ_nat0_outbound
DMZ_nat_outbound
Thanks.
11-30-2009 08:09 AM
Hi Collin,
many thanks for your help with this...
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 172.1.16.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 10.10.0.0 255.255.0.0 172.1.16.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip 192.168.252.0 255.255.255.0 172.1.16.0 255.255.255.0
access-list DMZ_nat_outbound extended permit ip host xxxx(webserver) any
access-list DMZ_nat_outbound extended permit ip host xxxx(webserver) any
cheers
Paul
11-30-2009 08:28 AM
So far everything is looking good. Can you post your debug logs?
11-30-2009 08:32 AM
sorry to be rubbish but how do I do that?
11-30-2009 08:44 AM
I made an assumption that you're running a debug (since you see phase 2 failing). That's what I'm looking for, the errors. Are you only using ASDM or do you also use the CLI?
11-30-2009 08:45 AM
NO, I am just using the adsm. I know a little about the command line. Will I see more info in the command line debug buffer?
11-30-2009 09:24 AM
Probably. I don't use ASDM so I'm not sure how much you are seeing. From the CLI you will see the same info, but you have a little more flexibility in how to view the logs. Is there a way to export what you are seeing?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide