Introduction
This document describes multiple scenarios where users are trying to troubleshoot the issues they are facing while implementing IPSec.
Scenario 1: Traffic forwarding in IPSec
Problem:
- 1 router 1921 which is before ASA 5510. User want to configure
- Remote Access on ASA firewall by forward traffic from router using UDP port 500, and UDP port 4500.
- User have 1 public IP and that is already configured for NAT on router.As IPsec can't traverse NAT. So is it possible to configure VPN on ASA.
Prerequisite:
- Router (1921 used here)
- ASA (5510 used here)
- Public IP
Solution:
Config at ASA (ASA.txt file attached)
Mapping global-policy, use below command to map it .
(config)# service-policy global_policy global
Similarly security level is same for both inside & internal , so use below command to pass traffic between both interface .
(config)# same-security-traffic permit inter-interface
When user say , user have 1 Public IP address . Is this IP address is assigned to router interface or its unassigned separate IP address?
If its unassigned Public IP address , user can do Static NAT with ASA outside IP address to Public IP address on router like below
{100.100.x.x}fa0/0<-(R1)->fa0/1(192.168.100.1)<-->(192.168.100.2}eth0/0(ASA)eth0/1{172.16.01}
ip nat inside source static 192.168.100.2 100.100.x.x
This way user have to complete IP to IP NAT .
If user have got only single IP address which is assigned to router interface then user need to port nat as said:
For VPN Gateways that run Cisco IOS Software Releases earlier than 12.2(13)T, the IPSec pass-through feature is needed on the router that performs PAT to allow Encapsulating Security Payload (ESP) through.
Note: This feature is known as IPSec through Network Address Translation (NAT) support in Software Advisory (registered customers only) .
In order to initiate the tunnel from the local (PATed) peer, no configuration is needed. In order to initiate the tunnel from the remote peer, these commands are needed:
ip nat inside source static esp inside_ip interface interface
ip nat inside source static udp inside_ip 500 interface interface 500
For VPN Gateways that run a Cisco IOS Software Release later than 12.2(13)T, IPSec traffic is encapsulated into User Data Protocol (UDP) port 4500 packets. This feature is known as IPSec
NAT Transparency . In order to initiate the tunnel from the local (PATed) peer, no configuration is needed.
In order to initiate the tunnel from the remote peer, these commands are needed:
ip nat inside source static udp inside_ip 4500 interface interface 4500
ip nat inside source static udp inside_ip 500 interface interface 500
More information can be seen on link mentioned below:
Scenario 2: UC-500 and IPSec vpn clients disconnects
Problem:
User is facing issue as his vpn clients keep disconnecting.
User have a UC560 running uc500-advipservicesk9-mz.151-2.T2 at an HQ site. Remote users, about 8 of them, are trying to connect via IPsec VPN clients (v5.0.07.0440) to HQ to access files etc. The behavior user is seeing is that only 5 users successfully connect, not 8. As soon as more users try to connect, they either:
- Connect successfully for a min, then drop
- Get a 412, Remote peer is no longer responding
- Connect, but kick someone else's session off.
Prerequisite:
- UC560 running uc500-advipservicesk9-mz.151-2.T2
- IPsec VPN clients (v5.0.07.0440)
Solution:
Client configs for VPN clients
crypto isakmp client configuration group USER01
key ********
dns 192.168.0.110
pool USER01_POOL
acl USER01_ACL
aaa authentication login RAUTHEN local
aaa authorization network RAUTHOR local if-authenticated
crypto isakmp profile USER01_PROF
match identity group USER01
client authentication list RAUTHEN
isakmp authorization list RAUTHOR
client configuration address respond
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 1000
encr 3des
authentication pre-share
group 2
After enabling debug and using commands:
debug crypto isakmp
debug crypto ipsec
Output for debug is mentioned below:
604899: Aug 21 16:41:13.333: ISAKMP:(2073): processing HASH payload. message ID = 284724149
604900: Aug 21 16:41:13.333: ISAKMP:(2073): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 284724149, sa = 0x8E7C6E68
604901: Aug 21 16:41:13.333: ISAKMP:(2073):deleting node 284724149 error FALSE reason "Informational (in) state 1"
604902: Aug 21 16:41:13.333: ISAKMP:(2073):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
604903: Aug 21 16:41:13.333: ISAKMP:(2073):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
581504: Aug 20 16:59:12.805: ISAKMP:(2147):purging node -1455244451
581505: Aug 20 16:59:12.805: ISAKMP:(2147):purging node 840814618
581506: Aug 20 16:59:13.933: ISAKMP (2147): received packet from 201.195.231.162 dport 4500 sport 37897 Global (R) QM_IDLE
581507: Aug 20 16:59:13.933: ISAKMP: set new node 801982813 to QM_IDLE
581508: Aug 20 16:59:13.933: ISAKMP:(2147): processing HASH payload. message ID = 801982813
581509: Aug 20 16:59:13.933: ISAKMP:received payload type 18
581510: Aug 20 16:59:13.933: ISAKMP:(2147):Processing delete with reason payload
581511: Aug 20 16:59:13.933: ISAKMP:(2147):delete doi = 0
581512: Aug 20 16:59:13.933: ISAKMP:(2147):delete protocol id = 1
581513: Aug 20 16:59:13.933: ISAKMP:(2147):delete spi_size = 16
581514: Aug 20 16:59:13.933: ISAKMP:(2147):delete num spis = 1
581515: Aug 20 16:59:13.933: ISAKMP:(2147):delete_reason = 2
581516: Aug 20 16:59:13.933: ISAKMP:(2147): processing DELETE_WITH_REASON payload, message ID = 801982813, reason: DELETE_BY_USER_COMMAND
581517: Aug 20 16:59:13.933: ISAKMP:(2147):peer does not do paranoid keepalives.
581518: Aug 20 16:59:13.933: ISAKMP:(2147):peer does not do paranoid keepalives.
581519: Aug 20 16:59:13.933: ISAKMP:(2147):deleting SA reason "BY user command" state (R) QM_IDLE (peer 201.195.231.162)
581520: Aug 20 16:59:13.933: ISAKMP:(2147):deleting node 801982813 error FALSE reason "Informational (in) state 1"
581521: Aug 20 16:59:13.933: ISAKMP: set new node -878597687 to QM_IDLE
581522: Aug 20 16:59:13.937: ISAKMP:(2147): sending packet to 201.xx.xx.xx my_port 4500 peer_port 37897 (R) QM_IDLE
581523: Aug 20 16:59:13.937: ISAKMP:(2147):Sending an IKE IPv4 Packet.
581524: Aug 20 16:59:13.937: ISAKMP:(2147):purging node -878597687
581525: Aug 20 16:59:13.937: ISAKMP:(2147):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
581526: Aug 20 16:59:13.937: ISAKMP:(2147):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
From the debugs we can see that we are receiving a DELETE message from the client at 201.xx.xx.xx:
Typically, you will see this when the user terminates the connection. If this is not the case, it is most likely something with the client causing a delete to be sent in error. Unfortunately, as the
legacy IPsec VPN client is End of Support, TAC may not be able to provide you with a permanent fix. If you could text from a different client (Cisco iOS built-in client, Mac OSX built-in client, another Cisco router acting as a client, etc;), this could help confirm if the Cisco VPN Client is what is causing the issue.
An IOS upgrade is worth a shot, although the debugs seem to indicate it is an issue with the client. If possible, I would still suggest testing with another client to see if it's unique to the Cisco VPN Client on Win7. Regarding the 20 tunnel limit, this most likely refers to the number of IPsec SAs. If you issue a "show crypto eli," this will print the number of IPSec-Sessions which are currently active.
Router#sh cry eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE
IPSec-Session : 56 active, 60 max, 5 failed
That looks like that'll do it. Keep in mind that each IPsec "tunnel" (ie. client connection) will have an inbound and outbound SPI, each of which count as an "IPSec-Session" in this "show
crypto eli" output. Therefore, the 60 max session equates to 30 client connections.
Scenario 3:IPSec site to site problem on asa using ver 9.1 vs ios
Problem:
User is trying to set up site-to-site vpn between ASA and IOS router, but unsuccessful,
logs received are :
the networks are:
172.25.0.0 (inside of ASA) A.A.A.A (outside of ASA) is needed to connect to IOS Router B.B.B.B address with 192.168.1.0 inside network
Configuration:
ASA Version 9.0(1)
!
hostname ASA-5505
domain-name 1.kz
names
ip local pool vpn_pool_ASA-5505 192.168.172.2-192.168.172.100 mask 255.255.255.0
ip local pool SAME_NET_ALA 172.25.66.200-172.25.66.210 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 10
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.25.66.15 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.252
!
ftp mode passive
clock timezone ALMST 6
clock summer-time ALMDT recurring last Sun Mar 0:00 last Sun Oct 0:00
dns server-group DefaultDNS
domain-name 1.kz
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_172.25.66.0_24
subnet 172.25.66.0 255.255.255.0
object network NETWORK_OBJ_192.168.172.0_25
subnet 192.168.172.0 255.255.255.128
object network NETWORK_OBJ_172.25.66.192_27
subnet 172.25.66.192 255.255.255.224
object network ALA_office
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_172.25.0.0_16
subnet 172.25.0.0 255.255.0.0
access-list SAME_NET_ALA_splitTunnelAcl standard permit 172.25.66.0 255.255.255.0
access-list SAME_NET_ALA_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list SAME_NET_ALA_splitTunnelAcl standard permit 172.0.0.0 255.0.0.0
access-list VPN-OUT-INS extended permit ip 192.168.172.0 255.255.255.0 any log
access-list VPN-IN-INS extended permit ip any any log
access-list VPN-OUT-OUT extended permit ip any 192.168.172.0 255.255.255.0 log
access-list VPN-OUT-ALL standard permit any4
access-list net172 standard permit 172.25.0.0 255.255.0.0
access-list net10 standard permit 10.0.0.0 255.0.0.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_172.25.66.0_24 object ALA_office
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 destination static NETWORK_OBJ_192.168.172.0_25
NETWORK_OBJ_192.168.172.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static obj_any obj_any destination static NETWORK_OBJ_172.25.66.192_27 NETWORK_OBJ_172.25.66.192_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 destination static ALA_office ALA_office no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group VPN-IN-INS in interface inside
access-group VPN-IN-INS out interface inside
route outside 0.0.0.0 0.0.0.0 88.204.136.165 1
route inside 10.0.0.0 255.0.0.0 172.25.66.1 2
route inside 172.0.0.0 255.0.0.0 172.25.66.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.25.66.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set Alma-set esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-
SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer B.B.B.B
crypto map outside_map 1 set ikev1 transform-set Alma-set
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
no anyconnect-essentials
group-policy web_access internal
group-policy web_access attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value PRTG
group-policy SAME_NET_ALA internal
group-policy SAME_NET_ALA attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SAME_NET_ALA_splitTunnelAcl
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_to_ALA internal
tunnel-group SAME_NET_ALA type remote-access
tunnel-group SAME_NET_ALA general-attributes
address-pool SAME_NET_ALA
default-group-policy SAME_NET_ALA
tunnel-group SAME_NET_ALA ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group web_access type remote-access
tunnel-group web_access general-attributes
default-group-policy web_access
tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B general-attributes
default-group-policy GroupPolicy1
tunnel-group B.B.B.B ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:932099620805dc22d9e48a5e04314887
IOS Router:
Last configuration change at 12:22:45 UTC Fri Aug 29 2014 by yerzhan
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1921_center
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
ip cef
!
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-260502430
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-260502430
revocation-check none
rsakeypair TP-self-signed-260502430
!
!
crypto pki certificate chain TP-self-signed-260502430
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32363035 30323433 30301E17 0D313331 31323630 35343131
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3236 30353032
34333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C178A16C 26637A32 E2FE6EB2 DE63FC5D 2F4096D2 1A223CAF 52A122A1 F152F0E0
D2305008 FA312D36 E055D09C 730111B6 487A01D5 629F8DE4 42FF0444 4B3B107A
F6439BA2 970EFE71 C9127F72 F93603E0 11B3F622 73DB1D7C 1889D57C 88C3B141
ED39B0EA 377CE1F7 610F9C76 FC9C843F A81AEFFE 07917A4B 2946032B 207160B9
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 1680146B B9F671FA BDD822DF 76802EEA 161D18D6 9B8C4030 1D060355
1D0E0416 04146BB9 F671FABD D822DF76 802EEA16 1D18D69B 8C40300D 06092A86
4886F70D 01010505 00038181 00B0C56F F1F4F85C 5FE7BF24 27D1DF41 7E9BB9CE
0447910A 07209827 E780FA0D 3A969CD0 12929830 14AAA496 0D17F684 7F841261
56365D9C AA15019C ABC74D0A 3CD4E002 F63AA181 B3CC4461 4E56E58D C8237899
29F48CFA 67C4B84B 95D456C3 F0CF858D 43C758C3 C285FEF1 C002E2C5 DCFB9A8A
6A1DF7E3 EE675EAF 7A608FB7 88
quit
license udi pid CISCO1921/K9 sn FCZ1748C14U
!
redundancy
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2
crypto isakmp key PSK-KEY address A.A.A.A
crypto isakmp key 6 PSK-KEY address 0.0.0.0
!
crypto isakmp client configuration group ALA-EMP-VPN
key *.*.*.*
dns 8.8.8.8
domain cisco.com
pool ippool
acl 101
netmask 255.255.255.0
!
!
crypto ipsec transform-set dmvpn_alad esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set TRIPSECMAX esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile MAXPROFILE
set transform-set TRIPSECMAX
!
!
crypto ipsec profile dmvpn_profile
set transform-set dmvpn_alad
!
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 20 ipsec-isakmp
set peer A.A.A.A
set transform-set AES-SHA
match address VPN_ASA_PAV
!
interface Loopback1
ip address 10.10.10.10 255.255.255.255
!
interface Tunnel2
ip address 192.168.101.1 255.255.255.240
no ip redirects
ip nhrp authentication NHRPMAX
ip nhrp map multicast dynamic
ip nhrp network-id 4679
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 10
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 4679
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description to_LAN
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description to_ISP
ip address B.B.B.B 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map clientmap
!
router ospf 100
auto-cost reference-bandwidth 1000
area 0 authentication message-digest
area 192.168.1.0 authentication message-digest
redistribute static subnets
passive-interface default
no passive-interface Tunnel1
network 10.10.10.10 0.0.0.0 area 192.168.1.0
network 192.168.1.0 0.0.0.255 area 192.168.1.0
network 192.168.222.0 0.0.0.15 area 0
!
router ospf 1
router-id 1.1.1.1
redistribute static subnets
passive-interface default
no passive-interface Tunnel2
network 10.10.10.10 0.0.0.0 area 192.168.1.0
network 192.168.1.0 0.0.0.255 area 192.168.1.0
network 192.168.101.0 0.0.0.15 area 0
!
ip local pool ippool 192.168.33.1 192.168.33.20
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 111 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.11 22 B.B.B.B 8022 extendable
ip route 0.0.0.0 0.0.0.0 B.B.B.C
!
ip access-list extended ACL-NAT
deny ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
permit ip any any
ip access-list extended ACL-VPN
permit ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
ip access-list extended VPN_ASA_PAV
permit ip 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 permit ip any any
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
Prerequisite
ASA v(9.1)
Router ios v(15)
Solution
The problem is the mismatch in access lists for the VPN.
The ASA says this
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_172.25.66.0_24 object ALA_office
The router says this
permit ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
They should be mirror matches from both sides.
ASA:
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_172.25.66.0_24 object ALA_office
object network NETWORK_OBJ_172.25.66.0_24
subnet 172.25.66.0 255.255.255.0
object network ALA_office
subnet 192.168.1.0 255.255.255.0
IOS:
ip access-list extended VPN_ASA_PAV
permit ip 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255
Source Discussion