issues with communications through the asa vpn (site-to-site)

Unanswered Question
Jul 13th, 2010
User Badges:

I've got a test setup on my desk.

It goes:


Ubuntu host(vm)-------------Openswan on ubuntu (vm)----- vmware gateway------ xp host-------------------- cisco asa ------ xp host

192.168.2.2                    192.168.92.128                      192.168.92.2          200.200.200.2         200.200.200.1     192.168.1.5

                                                        ===================tunnel=====================


Now i had it working before, worked on some other things, came back to it and it wasnt working, so im not sure what or where i changed something. I could easily start over but id rather find out whats wrong with it. So when i ping  192.168.1.5 from 192.168.2.2, there are no replies. However i did  a capture on the inside interface of the ASA and there was replies shown there, they wouldnt come back past that. I've also tried using netcat to send a file over on port 1234. On wireshark on the openswan vm, i can see a few ESP packets destined for 200.200.200.1, but 192.168.1.5 doesnt receive them.


Here's my show run output:


               
!
hostname ciscoasa                
enable password 8Ry2YjIyt7RRXU24 encrypted                                         
passwd 2KFQnbNIdI.2KYOU encrypted                                
names    
!
interface Vlan1              
nameif inside             
security-level 100                  
ip address 192.168.1.1 255.255.255.0                                    
!
interface Vlan2              
nameif outside              
security-level 0                
ip address 200.200.200.1 255.255.255.0                                      
!
interface Ethernet0/0                    
switchport access vlan 2                        
!
interface Ethernet0/1                    
!
interface Ethernet0/2                    
!
interface Ethernet0/3                    
!
interface Ethernet0/4                    
!
interface Ethernet0/5                    
!
interface Ethernet0/6                    
!
interface Ethernet0/7                    
!
ftp mode passive               
access-list inbound extended permit ip any any                                             
access-list inbound extended permit udp any any eq isakmp                                                        
access-list inbound extended permit udp any any eq 4500                                                      
access-list inbound extended permit esp any any                                              
access-list inbound extended deny ip any any                                           
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.2                                                                               
55.255.0       
access-list inbound2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 25                                                                               
5.255.255.0          
access-list inbound2 extended permit ip host 200.200.200.1 host 200.200.200.2                                                                            
pager lines 24             
logging enable             
logging timestamp                
logging buffered debugging                         
logging asdm informational                         
mtu inside 1500              
mtu outside 1500               
ip local pool name 192.168.1.40-192.168.1.60                                           
icmp unreachable rate-limit 1 burst-size 1                                         
no asdm history enable                     
arp timeout 14400                
global (outside) 1 interface                           
nat (inside) 0 access-list NONAT                               
nat (inside) 1 0.0.0.0 0.0.0.0                             
access-group inbound in interface outside                                        
route outside 0.0.0.0 0.0.0.0 200.200.200.0                                         
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                             
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                                           
timeout tcp-proxy-reassembly 0:01:00                                   
dynamic-access-policy-record DfltAccessPolicy                                            
http server enable                 
http 192.168.1.0 255.255.255.0 inside                                    
no snmp-server location                      
no snmp-server contact                     
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                     
crypto ipsec transform-set ts2 esp-3des esp-md5-hmac                                                   
crypto ipsec security-association lifetime seconds 28800                                                       
crypto ipsec security-association lifetime kilobytes 4608000                                                           
crypto dynamic-map dmap 20 set transform-set ts2                                               
crypto map emap 10 match address inbound2                                        
crypto map emap 10 set peer 192.168.92.128                                         
crypto map emap 10 set transform-set ts2                                       
crypto map emap 60000 ipsec-isakmp dynamic dmap                                              
crypto map emap interface outside                                
crypto isakmp enab                
crypto isakmp policy 10                      
authentication pre-share                        
encryption 3des               
hash md5        
group 2       
lifetime 86400              
telnet timeout 5               
ssh timeout 5            
console timeout 0                
management-access inside                       
dhcpd auto_config outside                        
!
dhcpd address 192.168.1.5-192.168.1.36 inside                                            
dhcpd enable inside                  
!


threat-detection basic-threat                            
threat-detection statistics access-list                                      
no threat-detection statistics tcp-intercept                                           
webvpn     
username ryan password .MqBmFV5KQ86DWrJ encrypted                                                
tunnel-group 200.200.200.2 type ipsec-l2l                                        
tunnel-group 200.200.200.2 ipsec-att                                  
pre-shared-key *                
tunnel-group ryan type remote-access                                   
tunnel-group ryan general-attributes                                   
address-pool name                 
tunnel-group ryan ipsec-attributes                                 
pre-shared-key *                
!
class-map inspection_default                           
match default-inspection-traffic                                
!
!
policy-map type inspect dns preset_dns_map                                     
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:26b17c4d709bc72a3d76158f2c9997bd
: end


help is appreciated, thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Hybrid461 Tue, 07/13/2010 - 08:39
User Badges:

Well for some unknown reason, clearing out the ACLs and nat commands, then re entering them made it work. I just dont understand computers sometimes.

Hybrid461 Wed, 07/14/2010 - 11:08
User Badges:

Whenever I execute a reload, or power cycle the asa, the ACLs have to be cleared and re entered. Anyone know why this may be?

Hybrid461 Thu, 07/15/2010 - 05:24
User Badges:

Some more information:

So im trying to get the opensource VPN to talk with a Cisco ASA for a  site-to-site VPN solution. I have an endpoint ubuntu machine using a  localhost adapter, the other ubuntu has openswan installed and is a  virutal machine as well on the same windows xp host. this openswan has  two virtual NICs, one is localhost to talk with the other ubuntu. The  second NIC is NAT to connect to the the windows machine, and the ASA  beyond that. On the otherside of the asa is a laptop running XP.

Openswan and the ASA are setup to start an ipsec vpn and talk to one  another. I can then send a file through the vpn with netcat. I sniff the  traffic along the way, and everything is encrypted with ESP.

So everything is fine up to this point. However should I need to execute  a reload or, the ASA gets power cycled, for whatever reason, the  packets that are sent from the ubuntu host, get stopped after the  outside interface of the ASA. If i clear the ACLs, reenter them, and  configure a couple other lines that referenced the ACLs, everything is  fine again. This also needs to occur if the openswan machine is rebooted.

Hybrid461 Thu, 07/15/2010 - 06:17
User Badges:

"ike initiator unable to find policy"


Is what im getting in buffered warning messages on the ASA.

Hybrid461 Thu, 07/15/2010 - 11:53
User Badges:

Some more progress in trying to fix, hope this can help point in the right direction. I removed the crypto dynamic-map line and the crypto map emap 60000 line referencing it. Now I get an error: no matching crypto map entry for remote proxy 10.10.10.0/255.255.255.0/0/0 local proxy 192.168.1.0/255.255.255.0/0/0  on interface outside.


Now i've been reading that for site-to-site ASAs you need mirrored ACLs for the crypto maps. So maybe someone can look at my iptables and see something?


$IPTABLES -A INPUT -p udp  --dport 500 -j ACCEPT
$IPTABLES -A OUTPUT -p udp  --dport 500 -j ACCEPT
$IPTABLES -A INPUT -p udp  --dport 4500 -j ACCEPT
$IPTABLES -A OUTPUT -p udp  --dport 4500 -j ACCEPT

$IPTABLES -A OUTPUT -p udp  --sport 4500 -j ACCEPT

$IPTABLES -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1
$IPTABLES -A FORWARD -i eth0 -m mark --mark 1 -s 10.10.10.0 -d 192.168.1.0/24 -j ACCEPT

Actions

This Discussion