cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2628
Views
0
Helpful
30
Replies

VPN

siclines1234
Level 1
Level 1

Hi everyone, I am super lost at this point, please help, I cannot get a site to site VPN connection between an ASA 5510 and 1841.

Below is the output of the ISAKMP, IPSEC and Crypto Maps for the 1841

Router#show cry isakmp sa
dst             src             state          conn-id slot status
70.33.178.164   66.160.11.132   MM_NO_STATE          0    0 ACTIVE (deleted)
66.160.11.132   70.33.178.164   MM_NO_STATE          1    0 ACTIVE (deleted)

Router#sh cry ipsec sa

interface: FastEthernet0/1
    Crypto map tag: asa1, local addr 66.160.11.132

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   current_peer 70.33.178.164 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 319, #recv errors 0

     local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
   current_peer 70.33.178.164 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


Router#sh cry map
Crypto Map "asa1" 1 ipsec-isakmp
        Peer = 70.33.178.164
        Extended IP access list 100
            access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
            access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.11.0 0.0.0.255
        Current peer: 70.33.178.164
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                ESP-3DES-SHA,
        }

Crypto Map "asa1" 10 ipsec-isakmp
        Peer = 70.33.178.164
        Extended IP access list 100
            access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
            access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.11.0 0.0.0.255
        Current peer: 70.33.178.164
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                ESP-3DES-SHA,
        }
        Interfaces using crypto map asa1:
                FastEthernet0/1

ASA 5510

Result of the command: "sh cry ipsec sa"

interface: outside

    Crypto map tag: outside_map0, seq num: 2, local addr: 70.33.178.164

      access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)

      current_peer: 71.191.130.50

      #pkts encaps: 175781, #pkts encrypt: 175781, #pkts digest: 175781

      #pkts decaps: 267694, #pkts decrypt: 267694, #pkts verify: 267694

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 175781, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 70.33.178.164/4500, remote crypto endpt.:

71.191.130.50/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 552987DF

    inbound esp sas:

      spi: 0x4FFF5AF2 (1342135026)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 12288, crypto-map: outside_map0

         sa timing: remaining key lifetime (kB/sec): (4373516/2107)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x552987DF (1428785119)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 12288, crypto-map: outside_map0

         sa timing: remaining key lifetime (kB/sec): (4373641/2107)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Result of the command: "sh cry isakmp sa"

   Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2

1  IKE Peer: 71.191.130.50

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: 66.160.11.132

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

let me know if I should post anyting else please.

Thanks in advance

30 Replies 30

Hi,

According to the output:

ASA's public IP: 70.33.178.164

Router's public IP: 66.160.11.132

ASA's internal LAN:

192.168.10.0/24

192.168.11.0/24

Router's internal LAN:

192.168.30.0/24

The interesting traffic seems defined on the ASA to the 192.168.20.0/24 which is nowhere.

Please confirm the above addresses and clear the SAs and try again.

Federico.

The intresting traffic 192.168.20.0/24 is the second VPN connection that connects from a different address then 66.160.x.x. The intresting traffic from 66 is 192.168.30.0/24.

I noticed in my own post that the type for 66.x.x is user where the other VPN that is connected is L2L. Is that the problem?

Thanks

Yes,

The fact that you're seeing the connection on the ASA from 66.160.11.132 as user indicates that is landing on the dynamic crypto map instead than using the appropiate tunnel-group.

This could be because the ACL for interesting traffic is not matching on both ends.

Could you post the relevant VPN configuration from both sides (but just for this particular tunnel)?

Federico.

what commands do you want me to run to show the VPN config?

post

ASA:

sh run crypt map

sh run access-list NAME --> name is the ACL defined in the crypto map

sh run access-list NAME --> name is the ACL defined in the NAT 0 statement

sh run tunnel-group

sh run cry isa

sh run cry ips

Router:

sh run | i cry

sh access-list NAME --> name is the ACL defined in the crypto map

In case that you're doing NAT on the router, then copy the NAT configuration:  sh run | i ip nat

From the above commands, just post the VPN configuration that pertains to this tunnel.

Federico.

ASA

Result of the command: "sh run crypt map"

crypto map outside_map0 1 match address outside_cryptomap_2 crypto map outside_map0 1 set peer 66.160.11.132 70.108.240.44 crypto map outside_map0 1 set transform-set ESP-3DES-SHA crypto map outside_map0 interface outside

Result of the command: "sh run access-list outside_cryptomap_2"

access-list outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0

Result of the command: "sh run access-list NAT 0 I am not sure what Name to put

Result of the command: "sh run tunnel-group"

tunnel-group 66.160.11.132 type ipsec-l2l tunnel-group 66.160.11.132 ipsec-attributes  pre-shared-key *

Result of the command: "sh run cry isa"

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

Result of the command: "sh run cry ips"

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000

1841

no service password-encryption
crypto isakmp policy 1
crypto isakmp key ****** address 70.33.178.164 no-xauth
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto map asa1 1 ipsec-isakmp
crypto map asa1 10 ipsec-isakmp
crypto map asa1

sh access-list asa1

nothing

Router#sh run | i ip nat
ip nat inside
ip nat outside
ip nat translation dns-timeout 180
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

Not sure if I did the access list right for ASA and 1841. The return for 1841 was blank, and the ASA returned alot. I tried to post what was relevant.

We need this output from the ASA:


sh run nat
sh run access-list NAME  --> name is the ACL that shows under the NAT0 statement from the command above

From the router:


sh run | sect route-map SDM_RMAP_1
sh access-list NAME --> name for the ACL that shows under the route-map above

Also try this:

ASA:


clear cry isa sa 66.160.11.132
clear cry ips sa peer 66.160.11.132

Router:
clear cry isa
clear cry sa

Then try to establish the tunnel again and see the results of both devices:


sh cry isa sa
sh cry ips sa

Federico.

post

Instead of:

Router#sh access-list SDM_RMAP_1

Please post:

Router#sh access-list 101

I think that we can see the entire picture after this last post.

Federico.

Router#sh access-list 101
Extended IP access list 101
    10 deny ip 192.168.30.0 0.0.0.255 192.168.11.0 0.0.0.255
    20 deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255 (557 matches)
    30 permit ip 192.168.30.0 0.0.0.255 any (2371 matches)

thanks a lot for your help

Let me know the results of these tests:

From the ASA can you PING 66.160.11.132?

From the router can you PING 70.33.178.164?

If both PINGs are succesful, then let's try to send traffic through the tunnel.

First clear the SAs again and...

Add this two commands to the ASA:

management-access inside

sysopt connection permit-vpn

Then, from the router do this:

ping x.x.x.x source y.y.y.y

x.x.x.x is the IP of the inside interface of the ASA (192.168.10.x)

y.y.y.y is the IP of the internal interface of the router (192.168.30.x)

Check again:

sh cry isa sa

sh cry ips sa

Federico.

Ok, I was able to ping each device from either other.

When I ran the command management-access inside, it returned: Please remove the management access before configure a new one

As you can see below, I was not able to ping the inside addresses.

Router#ping 192.168.10.1 source 192.168.30.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
.....
Success rate is 0 percent (0/5)
Router#sh cry isa sa
dst             src             state          conn-id slot status
70.33.178.164   66.160.11.132   MM_NO_STATE          0    0 ACTIVE
70.33.178.164   66.160.11.132   MM_NO_STATE          0    0 ACTIVE (deleted)
66.160.11.132   70.33.178.164   MM_SA_SETUP          1    0 ACTIVE

Router#sh cry ips sa

interface: FastEthernet0/1
    Crypto map tag: asa1, local addr 66.160.11.132

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   current_peer 70.33.178.164 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 13, #recv errors 0

     local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
   current_peer 70.33.178.164 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Check this on the ASA:

sh run management

Make sure that you remove the management-access xxxxx and then add it as ''management-access inside''

Check that the internal IP of the ASA is something in the 192.168.10.x and the internal IP of the router something in the 192.168.30.x

And try it both ways:

From the router:

ping 192.168.10.x source 192.168.30.x

From the ASA:

ping inside 192.168.30.x

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: