×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN site-to-site between ASA 5505 and 2911

Answered Question
Feb 8th, 2012
User Badges:

Hi all,


I'm trying to setup VPN S2S. Office router 2911 ip a.a.a.a, remote office ASA 5505 8.4(3) with ip b.b.b.b, but no luck.


2911 config:


!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 2911

!

boot-start-marker

boot system flash c2900-universalk9-mz.SPA.152-2.T.bin

boot-end-marker

!

!

security passwords min-length 10

logging buffered 51200 warnings

!

no aaa new-model

!

!

ipv6 spd queue min-threshold 62

ipv6 spd queue max-threshold 63

no ipv6 cef

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

!

!

ip dhcp excluded-address 192.168.10.1 192.168.10.99

ip dhcp excluded-address 192.168.22.1 192.168.22.99

ip dhcp excluded-address 192.168.33.1 192.168.33.99

ip dhcp excluded-address 192.168.44.1 192.168.44.99

ip dhcp excluded-address 192.168.55.1 192.168.55.99

ip dhcp excluded-address 192.168.10.240 192.168.10.254

ip dhcp excluded-address 192.168.22.240 192.168.22.254

ip dhcp excluded-address 192.168.33.240 192.168.33.254

ip dhcp excluded-address 192.168.44.240 192.168.44.254

ip dhcp excluded-address 192.168.55.240 192.168.55.254

!

ip dhcp pool desktops

import all

network 192.168.33.0 255.255.255.0

default-router 192.168.33.254

dns-server 192.168.10.10 202.50.246.41 202.50.246.42

domain-name local

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool wi-fi

import all

network 192.168.44.0 255.255.255.0

dns-server 192.168.10.10 202.50.246.41 202.50.246.42

domain-name local

default-router 192.168.44.254

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool DMZ

import all

network 192.168.55.0 255.255.255.0

dns-server 192.168.10.10 202.50.246.41 202.50.246.42

domain-name local

default-router 192.168.55.254

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool voip

import all

network 192.168.22.0 255.255.255.0

dns-server 192.168.10.10 202.50.246.41 202.50.246.42

domain-name local

default-router 192.168.22.254

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool servers

import all

network 192.168.10.0 255.255.255.0

default-router 192.168.10.254

dns-server 192.168.10.10 202.50.246.41 202.50.246.42

domain-name local

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

!

ip domain name domain

ip name-server 192.168.10.10

ip cef

login block-for 180 attempts 3 within 180

login delay 10

vlan ifdescr detail

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3956567439

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3956567439

revocation-check none

rsakeypair TP-self-signed-3956567439

!

!

crypto pki certificate chain TP-self-signed-3956567439

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

license udi pid CISCO2911/K9 sn

!

!

object-group network FULL_NET

description complete network range

192.168.10.0 255.255.255.0

192.168.11.0 255.255.255.0

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

!

object-group network limited

description network without Servers and Router

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

!

vtp version 2


username admin privilege 0 password 7 password

!

redundancy

!

!

!

!

!

no ip ftp passive

!

!

crypto isakmp policy 10

encr aes 256

hash sha512

authentication pre-share

crypto isakmp key admin address b.b.b.b  

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set SET esp-aes esp-sha-hmac

!

!

!

crypto map MAP 10 ipsec-isakmp

set peer b.b.b.b

set transform-set SET

match address 160

!

!

!

!

!

interface Port-channel1

no ip address

hold-queue 150 in

!

interface Port-channel1.1

encapsulation dot1Q 1 native

ip address 192.168.11.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.10

encapsulation dot1Q 10

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.22

encapsulation dot1Q 22

ip address 192.168.22.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.33

encapsulation dot1Q 33

ip address 192.168.33.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.44

encapsulation dot1Q 44

ip address 192.168.44.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.55

encapsulation dot1Q 55

ip address 192.168.55.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

channel-group 1

!

interface GigabitEthernet0/2

description $ES_LAN$

no ip address

duplex auto

speed auto

channel-group 1

!

interface GigabitEthernet0/0/0

ip address a.a.a.a 255.255.255.224

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map MAP

!

ip forward-protocol nd

!

no ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0 overload

ip nat inside source static udp a.a.a.a 500 interface GigabitEthernet0/0/0 500

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

!

ip access-list extended NAT_INTERNET

deny   ip object-group FULL_NET 192.168.17.0 0.0.0.255

deny   ip object-group FULL_NET 192.168.1.0 0.0.0.255

permit ip object-group FULL_NET any

!

access-list 1 permit 192.168.44.100

access-list 23 permit 192.168.10.7

access-list 23 permit 192.168.44.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

!

!

!

control-plane

!

!


!

line con 0

password 7 password

login

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input ssh

!

scheduler allocate 20000 1000

!

end






ASA config:


: Saved
:
ASA Version 8.4(3) 
!
hostname C
domain-name domain
enable password password encrypted
passwd passwd encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 switchport access vlan 100
!
interface Ethernet0/6
 switchport trunk allowed vlan 2,6
 switchport mode trunk
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 description INTERNET
 mac-address 1234.5678.0001
 nameif WAN
 security-level 0
 ip address b.b.b.b 255.255.255.248 standby c.c.c.c 
 ospf cost 10
!
interface Vlan2
 description OLD-PRIVATE
 mac-address 1234.5678.0102
 nameif OLD-Private
 security-level 100
 ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3 
 ospf cost 10
!
interface Vlan6
 description MANAGEMENT
 mac-address 1234.5678.0106
 nameif Management
 security-level 100
 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 
 ospf cost 10
!
interface Vlan100
 description LAN Failover Interface
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00
dns domain-lookup WAN
dns server-group DefaultDNS
 name-server 208.67.222.222
 domain-name domain
same-security-traffic permit intra-interface
object network obj-192.168.17.0
 subnet 192.168.17.0 255.255.255.0
object network obj-192.168.10.0
 subnet 192.168.10.0 255.255.255.0
object network obj-192.168.2.0
 subnet 192.168.2.0 255.255.255.0
object network obj-192.168.9.0
 subnet 192.168.9.0 255.255.255.0
object network obj-192.168.33.0
 subnet 192.168.33.0 255.255.255.0
object network obj-192.168.44.0
 subnet 192.168.44.0 255.255.255.0
object network obj_any
object network obj_any-01
object network NETWORK_OBJ_192.168.10.0_24
 subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.17.0_24
 subnet 192.168.17.0 255.255.255.0
object network subnet-00
 subnet 0.0.0.0 0.0.0.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service RDP tcp
 description RDP
 port-object eq 3389
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.17.0 255.255.255.0
 network-object 192.168.10.0 255.255.255.0
 network-object 192.168.33.0 255.255.255.0
 network-object 192.168.44.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object 192.168.10.0 255.255.255.0
 network-object 192.168.33.0 255.255.255.0
 network-object 192.168.44.0 255.255.255.0
object-group network subnet-17
 network-object 192.168.17.0 255.255.255.0
object-group network subnet-2
 network-object 192.168.2.0 255.255.255.0
object-group network subnet-9
 network-object 192.168.9.0 255.255.255.0
object-group network subnet-10
 network-object 192.168.10.0 255.255.255.0
access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 
access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 
access-list LAN_IP standard permit 192.168.17.0 255.255.255.0 
access-list WAN_access_in extended permit ip any any log debugging 
access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging 
access-list WAN_access_in extended permit icmp x.x.x.x 255.255.255.248 192.168.10.0 255.255.255.0 
access-list MANAGEMENT_access_in extended permit ip any any log debugging 
access-list OLD-PRIVATE_access_in extended permit ip any any log debugging 
access-list OLD-PRIVATE_access_in extended permit icmp any object-group DM_INLINE_NETWORK_1 
access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging 
access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 
access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 
access-list CiscoVPNClient_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0 
access-list LAN_access_in extended permit ip any any log debugging 
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 
access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 
access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 
access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 
access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any 
access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 
pager lines 24
logging enable
logging buffer-size 52000
logging monitor informational
logging trap informational
logging asdm informational
logging from-address syslog
logging recipient-address admin level errors
logging host OLD-Private 192.168.17.110 format emblem
logging debug-trace
logging permit-hostdown
mtu WAN 1500
mtu OLD-Private 1500
mtu Management 1500
ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0
ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Vlan100
failover polltime interface 15 holdtime 75
failover key *****
failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.10.0 255.255.255.0 WAN
icmp permit host x.x.x.x WAN
icmp permit 192.168.17.0 255.255.255.0 WAN
icmp permit host c.c.c.c WAN
icmp permit host a.a.a.a WAN
icmp deny any WAN
icmp permit 192.168.10.0 255.255.255.0 OLD-Private
icmp permit 192.168.17.0 255.255.255.0 OLD-Private
icmp permit host a.a.a.a OLD-Private
icmp permit host 192.168.10.0 Management
icmp permit host 192.168.17.138 Management
icmp permit 192.168.1.0 255.255.255.0 Management
icmp permit host 192.168.1.26 Management
icmp permit host a.a.a.a Management
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-10 subnet-10 no-proxy-arp
nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-2 subnet-2 no-proxy-arp
nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-9 subnet-9 no-proxy-arp
nat (Management,WAN) source static NETWORK_OBJ_192.168.17.0_24 NETWORK_OBJ_192.168.17.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
!
object network subnet-00
 nat (OLD-Private,WAN) dynamic interface
access-group WAN_access_in in interface WAN
access-group OLD-PRIVATE_access_in in interface OLD-Private
access-group MANAGEMENT_access_in in interface Management
route WAN 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa local authentication attempts max-fail 10
http server enable
http b.b.b.b 255.255.255.255 WAN
http 0.0.0.0 0.0.0.0 WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac 
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set pfs 
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Office 2 match address WAN_1_cryptomap
crypto map Office 2 set peer a.a.a.a 
crypto map Office interface WAN
crypto map MAP 10 set peer a.a.a.a 
crypto map MAP 10 set ikev1 transform-set OFFICE
crypto ikev2 enable WAN
crypto ikev1 enable WAN
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400
telnet timeout 5
ssh a.a.a.a 255.255.255.255 WAN
ssh timeout 30
ssh version 2
console timeout 0

dhcpd auto_config OLD-Private
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.28 source WAN prefer
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
group-policy admin internal
group-policy admin attributes
 dns-server value 208.67.222.222 156.154.70.1
 vpn-tunnel-protocol ikev1 
group-policy GroupPolicy_a.a.a.a internal
group-policy GroupPolicy_a.a.a.a attributes
 vpn-tunnel-protocol ikev1 ikev2 
group-policy CiscoVPNClient internal
group-policy CiscoVPNClient attributes
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CiscoVPNClient_splitTunnelAcl
username admin password password encrypted privilege 15
tunnel-group admin type remote-access
tunnel-group admin general-attributes
 address-pool vpnclient
 authorization-server-group LOCAL
 default-group-policy admin
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a general-attributes
 default-group-policy GroupPolicy_a.a.a.a
tunnel-group a.a.a.a ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group CiscoVPNClient type remote-access
tunnel-group CiscoVPNClient general-attributes
 address-pool vpnclient
 default-group-policy CiscoVPNClient
tunnel-group CiscoVPNClient ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
smtp-server 192.168.17.10
prompt hostname context 
no call-home reporting anonymous
call-home
 contact-email-addr admin
 contact-name admin
 profile CiscoTAC-1
  no active


: end
asdm image disk0:/asdm-647.bin
asdm location c.c.c.c 255.255.255.255 WAN
asdm location 192.168.17.2 255.255.255.255 WAN
asdm location a.a.a.a 255.255.255.255 OLD-Private
no asdm history enable


ASA:

# show crypto ipsec sa


There are no ipsec sas

# show crypto isakmp sa


There are no IKEv1 SAs


There are no IKEv2 SAs


2911:

#show crypto ipsec sa


interface: GigabitEthernet0/0/0

    Crypto map tag: MAP, local addr a.a.a.a


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)

   current_peer b.b.b.b port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 4, #recv errors 0


     local crypto endpt.: a.a.a.a, remote crypto endpt.: b.b.b.b

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none


     inbound esp sas:


--More--              inbound ah sas:

--More--        

--More--              inbound pcp sas:

--More--        

--More--              outbound esp sas:

--More--        

--More--              outbound ah sas:

--More--        

--More--              outbound pcp sas:




Thanks for your time,

Nick

Correct Answer by Eugene Khabarov about 5 years 6 months ago

Please add

crypto map Office 2 set ikev1 transform-set OFFICE


If it is not helpful, please enable debug crypto ipsec 255 and paste here.

HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Eugene Khabarov Wed, 02/08/2012 - 23:57
User Badges:
  • Silver, 250 points or more
access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 
is not mirrorary equal to ACL 160 on router:

access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255


Thats the problem.


BTW ACLs WAN_2_cryptomap and  WAN_cryptomap_2 is not used anythere on ASA.

HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
Nick Sinyakov Thu, 02/09/2012 - 00:19
User Badges:

Hi Evgeniy,


I've replaced access-list.


Result of the command: "show run | include WAN_1_cryptomap"


access-list WAN_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0

access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0

crypto map WAN_map 1 match address WAN_1_cryptomap

crypto map Office 2 match address WAN_1_cryptomap


Tunnel is still down. In ASDM I see:


IP = a.a.a.a, Error processing payload: Payload ID: 1



Eugene Khabarov Thu, 02/09/2012 - 00:41
User Badges:
  • Silver, 250 points or more
First, I think ikev2 is not required in tunnel-group a.a.a.a ipsec-attributes

Second, your isakmp/ike policies is incompatble betheen IOS and ASA:


On IOS:


crypto isakmp policy 10

encr aes 256

hash sha512

authentication pre-share

crypto isakmp key admin address b.b.b.b  

crypto isakmp invalid-spi-recovery



On ASA:


crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400



They should match.


HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
Nick Sinyakov Thu, 02/09/2012 - 01:52
User Badges:

ikev2 has been removed from config on ASA, also cryptos became:


crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 1
 lifetime 86400

Now in addition to Payload ID: 1, has been added another error:

Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2

Eugene Khabarov Thu, 02/09/2012 - 02:06
User Badges:
  • Silver, 250 points or more

Please configure on IOS:


crypto isakmp policy 10

encr aes 256

hash sha

authentication pre-share

group 2



On ASA you can try to remove:


crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 1
 lifetime 86400


HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
Nick Sinyakov Thu, 02/09/2012 - 02:30
User Badges:
Updated ASA config:

crypto ikev1 enable WAN crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 telnet timeout 5


And IOS: hash sha512 -> hash sha


Now ASDM shows 1 IPSec connection, then reply with error:

IP = a.a.a.a, Received encrypted packet with no matching SA, dropping


Full log:

5|Feb 09 2012|23:20:14|713904|||||IP = a.a.a.a, Received encrypted packet with no matching SA, dropping

4|Feb 09 2012|23:20:13|113019|||||Group = a.a.a.a, Username = a.a.a.a, IP = a.a.a.a, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

5|Feb 09 2012|23:20:13|713259|||||Group = a.a.a.a, IP = a.a.a.a, Session is being torn down. Reason: crypto map policy not found

3|Feb 09 2012|23:20:13|713902|||||Group = a.a.a.a, IP = a.a.a.a, Removing peer from correlator table failed, no match!

3|Feb 09 2012|23:20:13|713902|||||Group = a.a.a.a, IP = a.a.a.a, QM FSM error (P2 struct &0xcb4ce360, mess id 0x2f1dae8b)!

3|Feb 09 2012|23:20:13|713061|||||Group = a.a.a.a, IP = a.a.a.a, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.10.0/255.255.255.0/0/0 local proxy 192.168.17.0/255.255.255.0/0/0 on interface WAN

5|Feb 09 2012|23:20:13|713119|||||Group = a.a.a.a, IP = a.a.a.a, PHASE 1 COMPLETED

6|Feb 09 2012|23:20:13|113009|||||AAA retrieved default group policy (GroupPolicy_a.a.a.a) for user = a.a.a.a

6|Feb 09 2012|23:20:13|713172|||||Group = a.a.a.a, IP = a.a.a.a, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

1|Feb 09 2012|23:19:51|105009|||||(Primary) Testing on interface WAN Passed

1|Feb 09 2012|23:19:51|105008|||||(Primary) Testing Interface WAN

5|Feb 09 2012|23:19:44|713904|||||IP = a.a.a.a, Received encrypted packet with no matching SA, dropping

4|Feb 09 2012|23:19:43|113019|||||Group = a.a.a.a, Username = a.a.a.a, IP = a.a.a.a, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

5|Feb 09 2012|23:19:43|713259|||||Group = a.a.a.a, IP = a.a.a.a, Session is being torn down. Reason: crypto map policy not found

3|Feb 09 2012|23:19:43|713902|||||Group = a.a.a.a, IP = a.a.a.a, Removing peer from correlator table failed, no match!

3|Feb 09 2012|23:19:43|713902|||||Group = a.a.a.a, IP = a.a.a.a, QM FSM error (P2 struct &0xcb4ce360, mess id 0x268ce1b3)!

3|Feb 09 2012|23:19:43|713061|||||Group = a.a.a.a, IP = a.a.a.a, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.10.0/255.255.255.0/0/0 local proxy 192.168.17.0/255.255.255.0/0/0 on interface WAN

5|Feb 09 2012|23:19:43|713119|||||Group = a.a.a.a, IP = a.a.a.a, PHASE 1 COMPLETED

6|Feb 09 2012|23:19:43|113009|||||AAA retrieved default group policy (GroupPolicy_a.a.a.a) for user = a.a.a.a

6|Feb 09 2012|23:19:43|713172|||||Group = a.a.a.a, IP = a.a.a.a, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

Eugene Khabarov Thu, 02/09/2012 - 02:33
User Badges:
  • Silver, 250 points or more

That's good! We are one step closer. Now it is problems with your Phase2 SAs.


Key moment here is:


3|Feb 09 2012|23:19:43|713061|||||Group = a.a.a.a, IP = a.a.a.a,  Rejecting IPSec tunnel: no matching crypto map entry for remote proxy  192.168.10.0/255.255.255.0/0/0 local proxy


BTW

crypto map MAP

is used nowhere. I suggest you to remove it from ASA's config.


Please show me once again your configs from ASA and IOS. I suppose you will modify your ACLs to look like this:


On ASA:


access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 



On IOS:


access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255


And nothing more.


HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
Nick Sinyakov Thu, 02/09/2012 - 02:54
User Badges:

IOS config:


!

! Last configuration change at 10:17:28 UTC Thu Feb 9 2012 by admin

! NVRAM config last updated at 10:17:49 UTC Thu Feb 9 2012 by admin

! NVRAM config last updated at 10:17:49 UTC Thu Feb 9 2012 by admin

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname host

!

boot-start-marker

boot system flash c2900-universalk9-mz.SPA.152-2.T.bin

boot-end-marker

!

!

security passwords min-length 10

logging buffered 51200 warnings

!

no aaa new-model

!

!

ipv6 spd queue min-threshold 62

ipv6 spd queue max-threshold 63

no ipv6 cef

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

!

!

ip dhcp excluded-address 192.168.10.1 192.168.10.99

ip dhcp excluded-address 192.168.22.1 192.168.22.99

ip dhcp excluded-address 192.168.33.1 192.168.33.99

ip dhcp excluded-address 192.168.44.1 192.168.44.99

ip dhcp excluded-address 192.168.55.1 192.168.55.99

ip dhcp excluded-address 192.168.10.240 192.168.10.254

ip dhcp excluded-address 192.168.22.240 192.168.22.254

ip dhcp excluded-address 192.168.33.240 192.168.33.254

ip dhcp excluded-address 192.168.44.240 192.168.44.254

ip dhcp excluded-address 192.168.55.240 192.168.55.254

!

ip dhcp pool desktops

import all

network 192.168.33.0 255.255.255.0

default-router 192.168.33.254

dns-server 192.168.10.10 202.50.246.41 202.50.246.42

domain-name local

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool wi-fi

import all

network 192.168.44.0 255.255.255.0

dns-server 192.168.10.10 202.50.246.41 202.50.246.42

domain-name local

default-router 192.168.44.254

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool DMZ

import all

network 192.168.55.0 255.255.255.0

dns-server 192.168.10.10 202.50.246.41 202.50.246.42

domain-name local

default-router 192.168.55.254

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool voip

import all

network 192.168.22.0 255.255.255.0

dns-server 192.168.10.10 202.50.246.41 202.50.246.42

domain-name local

default-router 192.168.22.254

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool servers

import all

network 192.168.10.0 255.255.255.0

default-router 192.168.10.254

dns-server 192.168.10.10 202.50.246.41 202.50.246.42

domain-name local

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

!

ip domain name domain

ip name-server 192.168.10.10

ip cef

login block-for 180 attempts 3 within 180

login delay 10

vlan ifdescr detail

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3956567439

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3956567439

revocation-check none

rsakeypair TP-self-signed-3956567439

!

!

crypto pki certificate chain TP-self-signed-3956567439

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33393536 35363734 3339301E 170D3132 30313036 30313036

  34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39353635

  36373433 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100BBBC B2F63B46 7BBC2153 2CBE7448 75C4242B F1889273 60514BBC DDE1DA56

  E39DBB15 1F287CC1 152524A5 D87A8A56 13EAFB5B B84C84AB C25D6FA4 976A2CD5

  D1A33DE0 0433C73B D4202B8B 11237BC9 D7DF4B94 826020BB 46EFD1BF 84FB7743

  9FA14E39 2725527B 7E9533AE E6785232 FC74EA73 08F60A6F 186A3637 26019E4A

  2FCB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 14AC4CB9 4112EF5F A5B1E2DF AAF07C77 25B01101 C5301D06

  03551D0E 04160414 AC4CB941 12EF5FA5 B1E2DFAA F07C7725 B01101C5 300D0609

  2A864886 F70D0101 05050003 818100B0 92B2D45B DDE83E4A 322F2091 4A098970

  63AE4657 9066FB28 74B33515 93DDD8A5 2BAD749C 5B7D3CB0 AD35C84F AE356765

  684BFFB4 0890D062 F318F65C 0DF2710E 2C31BC4F 4FEBE931 C438803B A09D2DCF

  BF9A4DC5 72DC227D 1D41F488 5382C952 0A1E4491 0A596C3B BFAEA355 5CD436DF

  7B3E69EB 5C5BEF9E 129B736F 067CB0

      quit

license udi pid CISCO2911/K9 sn

!

!

object-group network FULL_NET

description complete network range

192.168.10.0 255.255.255.0

192.168.11.0 255.255.255.0

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

!

object-group network limited

description network without Servers and Router

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

!

vtp version 2

username admin privilege 0 password 7 password

!

redundancy

!

!

!

!

!

no ip ftp passive

!

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key admin address b.b.b.b  

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set PEER1 esp-aes esp-sha-hmac

!

!

!

crypto map MAP 10 ipsec-isakmp

set peer b.b.b.b

set transform-set PEER1

match address 160

!

!

!

!

!

interface Port-channel1

no ip address

hold-queue 150 in

!

interface Port-channel1.1

encapsulation dot1Q 1 native

ip address 192.168.11.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.10

encapsulation dot1Q 10

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.22

encapsulation dot1Q 22

ip address 192.168.22.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.33

encapsulation dot1Q 33

ip address 192.168.33.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.44

encapsulation dot1Q 44

ip address 192.168.44.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.55

encapsulation dot1Q 55

ip address 192.168.55.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

channel-group 1

!

interface GigabitEthernet0/2

description $ES_LAN$

no ip address

duplex auto

speed auto

channel-group 1

!

interface GigabitEthernet0/0/0

ip address a.a.a.a 255.255.255.224

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map MAP

!

ip forward-protocol nd

!

no ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0 overload

ip nat inside source static udp a.a.a.a 500 interface GigabitEthernet0/0/0 500

ip route 0.0.0.0 0.0.0.0 c.c.c.c

!

ip access-list extended NAT_INTERNET

deny   ip object-group FULL_NET 192.168.17.0 0.0.0.255

deny   ip object-group FULL_NET 192.168.1.0 0.0.0.255

permit ip object-group FULL_NET any

!

access-list 1 permit 192.168.44.100

access-list 23 permit 192.168.10.7

access-list 23 permit 192.168.44.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

!

!

!

control-plane

!

!

!

line con 0

password 7 password

login

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input ssh

!

scheduler allocate 20000 1000

!

end


---------------------------------------------------------------------------------------------------------------------------------------



ASA config:

: Saved

:

ASA Version 8.4(3)

!

hostname host

domain-name domain

enable password password encrypted

passwd passwd encrypted

names

!

interface Ethernet0/0

!

interface Ethernet0/1

shutdown

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

switchport access vlan 100

!

interface Ethernet0/6

switchport trunk allowed vlan 2,6

switchport mode trunk

!

interface Ethernet0/7

shutdown

!

interface Vlan1

description INTERNET

mac-address 1234.5678.0001

nameif WAN

security-level 0

ip address b.b.b.b 255.255.255.248 standby x.x.x.x

ospf cost 10

!

interface Vlan2

description OLD-PRIVATE

mac-address 1234.5678.0102

nameif OLD-Private

security-level 100

ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3

ospf cost 10

!

interface Vlan6

description MANAGEMENT

mac-address 1234.5678.0106

nameif Management

security-level 100

ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3

ospf cost 10

!

interface Vlan100

description LAN Failover Interface

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone NZST 12

clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00

dns domain-lookup WAN

dns server-group DefaultDNS

name-server xxx.xxx.xxx.xxx

  domain-name domain

same-security-traffic permit intra-interface

object network obj-192.168.17.0

subnet 192.168.17.0 255.255.255.0

object network obj-192.168.10.0

subnet 192.168.10.0 255.255.255.0

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

object network obj-192.168.9.0

subnet 192.168.9.0 255.255.255.0

object network obj-192.168.33.0

subnet 192.168.33.0 255.255.255.0

object network obj-192.168.44.0

subnet 192.168.44.0 255.255.255.0

object network obj_any

object network obj_any-01

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network NETWORK_OBJ_192.168.17.0_24

subnet 192.168.17.0 255.255.255.0

object network subnet-00

subnet 0.0.0.0 0.0.0.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service RDP tcp

description RDP

port-object eq 3389

object-group network DM_INLINE_NETWORK_1

network-object 192.168.17.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

network-object 192.168.33.0 255.255.255.0

network-object 192.168.44.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object 192.168.10.0 255.255.255.0

network-object 192.168.33.0 255.255.255.0

network-object 192.168.44.0 255.255.255.0

object-group network subnet-17

network-object 192.168.17.0 255.255.255.0

object-group network subnet-2

network-object 192.168.2.0 255.255.255.0

object-group network subnet-9

network-object 192.168.9.0 255.255.255.0

object-group network subnet-10

network-object 192.168.10.0 255.255.255.0

access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0

access-list LAN_IP standard permit 192.168.17.0 255.255.255.0

access-list WAN_access_in extended permit ip any any log debugging

access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging

access-list WAN_access_in extended permit icmp x.x.x.x 255.255.255.248 192.168.10.0 255.255.255.0

access-list MANAGEMENT_access_in extended permit ip any any log debugging

access-list OLD-PRIVATE_access_in extended permit ip any any log debugging

access-list OLD-PRIVATE_access_in extended permit icmp any object-group DM_INLINE_NETWORK_1

access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging

access-list WAN_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0

access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list CiscoVPNClient_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0

access-list LAN_access_in extended permit ip any any log debugging

access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0

access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0

access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0

access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any

access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging enable

logging buffer-size 52000

logging monitor informational

logging trap informational

logging asdm informational

logging from-address syslog

logging recipient-address  level errors

logging host OLD-Private 192.168.17.110 format emblem

logging debug-trace

logging permit-hostdown

mtu WAN 1500

mtu OLD-Private 1500

mtu Management 1500

ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0

ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface failover Vlan100

failover polltime interface 15 holdtime 75

failover key *****

failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.10.0 255.255.255.0 WAN

icmp permit 192.168.17.0 255.255.255.0 WAN

icmp permit host c.c.c.c WAN

icmp permit host a.a.a.a WAN

icmp deny any WAN

icmp permit 192.168.10.0 255.255.255.0 OLD-Private

icmp permit 192.168.17.0 255.255.255.0 OLD-Private

icmp permit host a.a.a.a OLD-Private

icmp permit host 192.168.10.0 Management

icmp permit host 192.168.17.138 Management

icmp permit 192.168.1.0 255.255.255.0 Management

icmp permit host 192.168.1.26 Management

icmp permit host a.a.a.a Management

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-10 subnet-10 no-proxy-arp

nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-2 subnet-2 no-proxy-arp

nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-9 subnet-9 no-proxy-arp

nat (Management,WAN) source static NETWORK_OBJ_192.168.17.0_24 NETWORK_OBJ_192.168.17.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup

!

object network subnet-00

nat (OLD-Private,WAN) dynamic interface

access-group WAN_access_in in interface WAN

access-group OLD-PRIVATE_access_in in interface OLD-Private

access-group MANAGEMENT_access_in in interface Management

route WAN 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa local authentication attempts max-fail 10

http server enable

http b.b.b.b 255.255.255.255 WAN

http 0.0.0.0 0.0.0.0 WAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac

crypto map WAN_map 1 match address WAN_1_cryptomap

crypto map WAN_map 1 set pfs

crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Office 2 match address WAN_1_cryptomap

crypto map Office 2 set peer a.a.a.a

crypto map Office interface WAN

crypto map MAP 10 set peer a.a.a.a

crypto map MAP 10 set ikev1 transform-set OFFICE

crypto ikev1 enable WAN

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 121.98.137.77 255.255.255.255 WAN

ssh a.a.a.a 255.255.255.255 WAN

ssh timeout 30

ssh version 2

console timeout 0


dhcpd auto_config OLD-Private

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 129.6.15.28 source WAN prefer

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 ssl-client ssl-clientless

group-policy admin internal

group-policy admin attributes

dns-server value 208.67.222.222 156.154.70.1

vpn-tunnel-protocol ikev1

group-policy GroupPolicy_a.a.a.a internal

group-policy GroupPolicy_a.a.a.a attributes

vpn-tunnel-protocol ikev1

group-policy CiscoVPNClient internal

group-policy CiscoVPNClient attributes

vpn-idle-timeout 30

vpn-session-timeout none

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value CiscoVPNClient_splitTunnelAcl

username admin password password encrypted privilege 15

tunnel-group admin type remote-access

tunnel-group admin general-attributes

address-pool vpnclient

authorization-server-group LOCAL

default-group-policy admin

tunnel-group a.a.a.a type ipsec-l2l

tunnel-group a.a.a.a general-attributes

default-group-policy GroupPolicy_a.a.a.a

tunnel-group a.a.a.a ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group CiscoVPNClient type remote-access

tunnel-group CiscoVPNClient general-attributes

address-pool vpnclient

default-group-policy CiscoVPNClient

tunnel-group CiscoVPNClient ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

smtp-server 192.168.17.10

prompt hostname context

no call-home reporting anonymous

call-home

contact-email-addr

contact-name

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily


asdm image disk0:/asdm-647.bin

asdm location b.b.b.b 255.255.255.255 WAN

asdm location 192.168.17.2 255.255.255.255 WAN

asdm location a.a.a.a 255.255.255.255 OLD-Private

no asdm history enable

Eugene Khabarov Thu, 02/09/2012 - 03:07
User Badges:
  • Silver, 250 points or more

WAN_1_cryptomap is defined incorrectly in your last config.


Once again. On ASA:


Remove this line:

crypto map MAP

and

access-list WAN_2_cryptomap

and

access-list WAN_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0

Nick Sinyakov Thu, 02/09/2012 - 03:23
User Badges:

All removed:


5|Feb 10 2012|00:20:42|713904|||||IP = a.a.a.a, Received encrypted packet with no matching SA, dropping

4|Feb 10 2012|00:20:42|113019|||||Group = a.a.a.a, Username = a.a.a.a, IP = a.a.a.a, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

5|Feb 10 2012|00:20:42|713259|||||Group = a.a.a.a, IP = a.a.a.a, Session is being torn down. Reason: crypto map policy not found

3|Feb 10 2012|00:20:42|713902|||||Group = a.a.a.a, IP = a.a.a.a, Removing peer from correlator table failed, no match!

3|Feb 10 2012|00:20:42|713902|||||Group = a.a.a.a, IP = a.a.a.a, QM FSM error (P2 struct &0xcb4ce360, mess id 0x48eb296d)!

3|Feb 10 2012|00:20:42|713061|||||Group = a.a.a.a, IP = a.a.a.a, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.10.0/255.255.255.0/0/0 local proxy 192.168.17.0/255.255.255.0/0/0 on interface WAN

5|Feb 10 2012|00:20:42|713119|||||Group = a.a.a.a, IP = a.a.a.a, PHASE 1 COMPLETED

6|Feb 10 2012|00:20:42|113009|||||AAA retrieved default group policy (GroupPolicy_a.a.a.a) for user = a.a.a.a

6|Feb 10 2012|00:20:42|713172|||||Group = a.a.a.a, IP = a.a.a.a, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

Correct Answer
Eugene Khabarov Thu, 02/09/2012 - 03:53
User Badges:
  • Silver, 250 points or more

Please add

crypto map Office 2 set ikev1 transform-set OFFICE


If it is not helpful, please enable debug crypto ipsec 255 and paste here.

HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
Nick Sinyakov Thu, 02/09/2012 - 13:50
User Badges:

Thanks Zhenya, you are the great men! The tunnel is up and I have access from office to remote network. Now I'm going to allow access from all VLANs in the office to remote network, setup keepalive for tunnel and permit reverse access from remote network to our office.


Thanks again, excellent solution!

Eugene Khabarov Fri, 02/10/2012 - 04:42
User Badges:
  • Silver, 250 points or more

No problem. You are welcome. The best thanks is to give positive rating to my posts

onowojemma Wed, 07/18/2012 - 04:42
User Badges:

Hello Sir i VPN contion between ASA 5520 and 2811 router the tunnel is up and i can ping lan to lan but can not could not pass user trafic from lan to lan below is my config



Building configuration...



Current configuration : 4589 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname mynet

!

boot-start-marker

boot-end-marker

!

logging buffered 52000

enable password class

!

no aaa new-model

memory-size iomem 10

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 2!@$24c# address *.*.*.*

!

!

crypto ipsec transform-set test esp-3des esp-sha-hmac

crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to*.*.*.*

set peer *.*.*.*

set security-association lifetime seconds 28800

set transform-set SDM_TRANSFORMSET_1

match address 100

!

!

crypto pki trustpoint TP-self-signed-2167060814

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2167060814

revocation-check none

rsakeypair TP-self-signed-2167060814

!

!

crypto pki certificate chain TP-self-signed-2167060814

certificate self-signed 01

  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32313637 30363038 3134301E 170D3132 30373034 31333431

  32365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31363730

  36303831 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C364 7D402758 51F09695 BD154AC4 90AD2414 12EEC489 0A93144A E5F48988

  9EBEA6E8 651B2DCC 74598794 98FE7BB4 24720967 D45458E4 1B511CD9 066465C2

  6F7BABF4 BBDA2680 08058882 32E2B638 7AF69531 C29C0A90 E6346478 44729E28

  2B3A6A2B 7F9EDC55 902BC5BD 17A6D9BD EA7034FA 667714B9 014AC84D ACFBA560

  99230203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603

  551D1104 19301782 15454F44 2E6E6763 2D6E6E70 6367726F 75702E63 6F6D301F

  0603551D 23041830 16801435 2811E226 99B57C71 DF7CA409 9A41978B 55CA5E30

  1D060355 1D0E0416 04143528 11E22699 B57C71DF 7CA4099A 41978B55 CA5E300D

  06092A86 4886F70D 01010405 00038181 0030C710 D435CF51 FEEC6767 45CFE3D7

  448C764A 9C394041 5B48FE3C A0973381 5A08D7CC 843D8C88 945124EA 6AB2FF07

  947F10FE 072A853B 44637E03 20AF196A 2481C0BF 89FB5B78 84E0F0F5 6D1CCDC2

  D72DFE26 E5AE679E A23CAF1A 75E4FD45 502C57D5 FA04D427 6B32FE11 E2803ADE

  6C39D9DF D59C0ADD 8BFCEBC9 92B2F514 CE

            quit

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.43.0.0 10.43.0.50

ip dhcp excluded-address 10.45.0.1 10.45.0.50

!

ip dhcp pool ngcph

   network 10.45.0.0 255.255.255.0

   dns-server 83.229.88.30 217.194.129.30

   default-router 10.45.0.1

   domain-name ngc-nnpcgroup.com

   lease 7

!

!

ip domain name ngc-nnpcgroup.com

!

multilink bundle-name authenticated

!

!

!

username cisco privilege 15 secret 5 $1$hJFZ$/lQ9kVkbOqVVOoCs3LxlR0

archive

log config

  hidekeys

!

!

!

!

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/0/0

description #ETH-WANS#

ip address *.*.*.* 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface FastEthernet0/1/0

description FE int to 2nd$ETH-LAN$

ip address 10.45.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 *.*.*.*

!

!

ip http server

ip http authentication local

ip http secure-server

ip nat pool ed *.*.*.* *.*.*.* netmask 255.255.255.248

ip nat inside source route-map SDM_RMAP_1 pool ngceod

!

access-list 10 remark CCP_ACL Category=16

access-list 10 permit 10.45.0.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.45.0.0 0.0.0.255 10.40.0.0 0.0.255.255

access-list 101 remark CCP_ACL Category=16

access-list 101 permit ip 10.45.0.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=2

access-list 102 remark IPSec Rule

access-list 102 deny   ip 10.45.0.0 0.0.0.255 10.40.0.0 0.0.255.255

access-list 102 permit ip 10.45.0.0 0.0.0.255 any

access-list 106 remark CCP_ACL Category=4

access-list 106 remark IPSec Rule

access-list 106 permit ip 10.45.0.0 0.0.0.255 10.40.0.0 0.0.255.255

snmp-server community ngc RO

!

!

route-map SDM_RMAP_1 permit 1

match ip address 102

!

!

!

control-plane

!

!

line con 0

password class

login local

line aux 0

line vty 0 4

privilege level 15

password class

login local

transport input telnet ssh

!

scheduler allocate 20000 1000



!

webvpn cef

!

end


ASA



hostname MYHD-ASA

domain-name ngc-nnpcgroup.com

enable password NuLKvvWGg.x9HEKO encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 10.40.0.1 255.255.0.0

no shutdown

!

interface GigabitEthernet0

nameif outside

security-level 0

ip address *.*.*.* 255.255.255.240

no shutdown

!

interface GigabitEthernet2

nameif DMZ

security-level 100

ip address 10.50.0.1 255.255.255.0

!

interface GigabitEthernet3

nameif CHQWAN

security-level 50

ip address 10.60.0.1 255.255.255.252

!

ftp mode passive

dns server-group DefaultDNS

domain-name ngc-nnpcgroup.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network OUTSIDEIP

host *.*.*.*

object network NETWORK_OBJ_10.40.0.0_16

subnet 10.40.0.0 255.255.0.0

object network test

subnet 10.45.0.0 255.255.0.0

pager lines 24

logging asdm informational

mtu management 1500

mtu DMZ 1500

mtu inside 1500

mtu CHQWAN 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo inside

icmp permit any echo-reply inside

icmp permit any echo-reply outside

icmp permit any echo outside

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

route outside 0.0.0.0 0.0.0.0 *.*.*.* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username nnpc password St5pgJAjD4J/dO/i encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context



management-access inside


Thanks in advance for your help

Actions

This Discussion

Related Content