Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5898
Views
0
Helpful
9
Replies

Issues setting up cisco asa 5510 site to site vpn

pauliew1978
Level 1
Level 1

‎11-30-2009 05:17 AM

Dear all,

I am trying to setup a site to site vpn with a checkpoint utm edge firewall and having issues. I am creating an ipsec vpn and the first phase of the isakmp negotioan is completing successfully however it is failing on phase 2. I have fairly limited experience with this type of cisco device. Though I have created the basic security policies on it before and know my way araound the adsm interface. I have run the vpn site to site wizard and there was one part I was a little stuck on....

basically in step 5...

cisco.JPG

I assumed that the source ip address should be the LAN network address and the destination address should be the network address of the corresponding side (for me it would be 172.1.16.0/24). However I receive the following error message on the adsm...

ciscoerror.JPG

Bare in mind I have set up nothing else (no acl's or nat etc). I am unsure of how to resolve this issue. If I can get this set up this then leads me to another question.

Ideally I want the vpn site to site to work between my dmz and the corresponding device. I am unsure of how I would set this up?

any help would be greatly greatly appreciated I am really struggling with this.

many thanks

Paul

Labels:
0 Helpful
9 Replies 9

Collin Clark
VIP Alumni
VIP Alumni

‎11-30-2009 06:38 AM

Hi Paul-

Yes your private LAN would be the source and the other ends/ private LAN would be the destination networks. You will also need to create NATs. Can you post your config so far so we can help you the rest of the way?

0 Helpful

pauliew1978
Level 1
Level 1
In response to Collin Clark

‎11-30-2009 07:28 AM

many thanks for the quick reply!

I have hacked out all of our info out as much as possible. Hopefully its still legible! Where I have removed the public ip of the vpn I have added a note saying it is the sonicwall endpoint ip)


interface Ethernet0/0
nameif outside
security-level 0
ip address xxxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address xxxx
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address xxxx
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!


access-list outside_1_cryptomap_1 extended permit ip 10.10.0.0 255.255.0.0 172.1.16.0 255.255.255.0
pager lines 24
logging enable
logging asdm-buffer-size 512
logging buffered errors
logging trap notifications
logging asdm warnings

logging host inside
mtu inside 1500
mtu outside 1500
mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1
icmp permit host SWISP_Monitor outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 101 access-list DMZ_nat_outbound

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxxx
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer XXXXXXXX      (Endpoint IP for sonicwall device)
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint Local-TP
enrollment self
crl configure
crypto isakmp enable outside
crypto isakmp enable DMZ
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value pool1
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none

tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group MyAuthGroupRad
authorization-server-group MyAuthGroupRad
default-group-policy xxxx
tunnel-group DefaultWEBVPNGroup webvpn-attributes
hic-fail-group-policy xxxx

group-alias group1 enable
tunnel-group test1 type ipsec-ra
tunnel-group test1 general-attributes
address-pool pool1
authentication-server-group MyAuthGroupKerb
authorization-server-group MyAuthGroupLDAP
default-group-policy test1
tunnel-group test1 ipsec-attributes
pre-shared-key *
tunnel-group test1 ppp-attributes
authentication ms-chap-v2
tunnel-group Test_radius type ipsec-ra
tunnel-group Test_radius general-attributes
authentication-server-group MyAuthGroupRad
authorization-server-group MyAuthGroupRad
password-management password-expire-in-days 3
tunnel-group Test_radius ipsec-attributes
pre-shared-key *
tunnel-group Test_radius ppp-attributes
no authentication chap
no authentication ms-chap-v1
tunnel-group xxxx  type ipsec-ra
tunnel-group xxxx general-attributes
authentication-server-group MyAuthGroupRad
authorization-server-group MyAuthGroupRad
password-management password-expire-in-days 2
tunnel-group xxxx ipsec-attributes
pre-shared-key *
tunnel-group xxxx ppp-attributes
no authentication chap
no authentication ms-chap-v1
tunnel-group xxxx( endpoint ip of sonicwall) type ipsec-l2l
tunnel-group (endpoint ip of sonicwall) ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
smtp-server xxxxx
prompt hostname context
Cryptochecksum:13c19db74ba92a86e0c747451a0807e9
: end
asdm image disk0:/asdm-524.bin
asdm location SWISP_Monitor 255.255.255.255 inside
2 255.255.255.255 inside
no asdm history enable

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to pauliew1978

‎11-30-2009 08:02 AM

Can you post the following ACLs?

inside_nat0_outbound

outside_1_cryptomap_1

DMZ_nat0_outbound
DMZ_nat_outbound

Thanks.

0 Helpful

pauliew1978
Level 1
Level 1
In response to Collin Clark

‎11-30-2009 08:09 AM

Hi Collin,

many thanks for your help with this...

access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 172.1.16.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 10.10.0.0 255.255.0.0 172.1.16.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip 192.168.252.0 255.255.255.0 172.1.16.0 255.255.255.0
access-list DMZ_nat_outbound extended permit ip host xxxx(webserver) any
access-list DMZ_nat_outbound extended permit ip host xxxx(webserver) any

cheers

Paul

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to pauliew1978

‎11-30-2009 08:28 AM

So far everything is looking good. Can you post your debug logs?

0 Helpful

pauliew1978
Level 1
Level 1
In response to Collin Clark

‎11-30-2009 08:32 AM

sorry to be rubbish but how do I do that?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to pauliew1978

‎11-30-2009 08:44 AM

I made an assumption that you're running a debug (since you see phase 2 failing). That's what I'm looking for, the errors. Are you only using ASDM or do you also use the CLI?

0 Helpful

pauliew1978
Level 1
Level 1
In response to Collin Clark

‎11-30-2009 08:45 AM

NO, I am just using the adsm. I know a little about the command line. Will I see more info in the command line debug buffer?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to pauliew1978

‎11-30-2009 09:24 AM

Probably. I don't use ASDM so I'm not sure how much you are seeing. From the CLI you will see the same info, but you have a little more flexibility in how to view the logs. Is there a way to export what you are seeing?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents