11-05-2013 10:27 AM - edited 03-11-2019 08:00 PM
I've got an ASA 5505 on my hands, with the enterprise license. In the example above, VPN "22" tunnel is up & passes traffic just fine. VPN "11" won't come up. I think I'm missing something. is it related to the two lines at the bottom?
crypto map MyVPN 11 match address toVPN-A
crypto map MyVPN 11 set pfs
crypto map MyVPN 11 set peer VPN-A_Peer
crypto map MyVPN 11 set transform-set ESP-3DES-MD5
-----------------------------------------------
crypto map MyVPN 22 match address toVPN-B
crypto map MyVPN 22 set pfs
crypto map MyVPN 22 set peer VPN-B_Peer
crypto map MyVPN 22 set transform-set ESP-DES-MD5
crypto map MyVPN interface outside
crypto isakmp policy 22
crypto isakmp nat-traversal 22
Thanks,
Alex
Solved! Go to Solution.
11-12-2013 09:26 AM
If the tunnel goes down the route will still be in place. You would need to create a track object that tests reachability over the VPN and associate it with the route that sends traffic over the vpn. Then if the remote destination is not reachable the route will be removed and the route with higher netric will take over
11-05-2013 10:45 AM
Please send the complete configuration. We need to know the version that your using, are you using pre-share, do you have debugs, what is the interesting traffic, are you suppose to use ESP-DES-MD5 or ESP-3DES-MD5.
11-05-2013 10:47 AM
Did you configure tunnel-group, can you reach the remote peer? So much to ask with out the configuration
11-05-2013 10:48 AM
Please use this guide for configuration example:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.pdf
11-05-2013 11:17 AM
OK, below is a sanitized config. Publicly routable IPs have been changed. In the example the TSI tunnel works fine but the Forestville tunnel won't come up.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.11.05 14:00:23 =~=~=~=~=~=~=~=~=~=~=~=
DASS-VPN#
DASS-VPN# show runt
: Saved
:
ASA Version 8.2(1)
!
hostname DASS-VPN
domain-name dass
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxx encrypted
names
name 192.168.6.115 Forestville_FTP1
name 192.168.6.116 Forestville_FTP2
name 192.168.4.160 Forestville-FTP
name 15.16.17.18 Forestville_PEER
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.28.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.189.157 255.255.254.0
!
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 192.168.1.2 255.255.255.0
!
interface Vlan4
nameif LEO-GEO
security-level 80
ip address 192.168.29.1 255.255.255.0
!
interface Vlan5
nameif EXT-FTP
security-level 70
ip address 192.168.27.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 4
!
interface Ethernet0/5
switchport access vlan 3
speed 100
duplex full
!
interface Ethernet0/6
switchport access vlan 5
!
interface Ethernet0/7
!
banner login ....................
banner login ................
banner login ...............
!
banner motd ...............
banner motd ...............
banner motd ...............
ftp mode passive
dns server-group DefaultDNS
domain-name dass
access-list toTSI extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0
access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0
access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list exclude_from_nat extended permit ip host 192.168.28.72 host Forestville_FTP1
access-list exclude_from_nat extended permit ip host 192.168.28.72 host Forestville_FTP2
access-list toForestville extended permit ip host 182.168.28.74 host Forestville-FTP
access-list toForestville extended permit ip host 192.168.28.72 host Forestville_FTP1
access-list toForestville extended permit ip host 192.168.28.72 host Forestville_FTP2
access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-data
access-list tsi_policy extended permit udp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-status
access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.0 eq 3389
access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 host 192.168.28.71 eq 1433
access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo-reply
access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo
access-list Forestville_vpn_filter extended permit tcp host Forestville-FTP host 192.168.28.74 eq ftp
access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP2 host 192.168.28.72 eq ftp
access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP2 eq ftp host 192.168.28.72
access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP1 host 192.168.28.72 eq ftp
access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP1 eq ftp host 192.168.28.72
access-list outside_access_in remark Allow HTTPS access to Packet Data Server (SRV3)
access-list outside_access_in extended permit tcp any host 172.16.189.157 eq https log
access-list DMZ_access_in remark Allows traffic inbound from frame-relay
access-list DMZ_access_in extended permit tcp host Forestville-FTP host 192.168.28.74 eq ftp
access-list DMZ_access_in extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list inside_access_in remark Allows traffic into ASA from Inside
access-list inside_access_in extended permit tcp host 192.168.28.74 host Forestville-FTP eq ftp
access-list inside_access_in extended permit tcp host 192.168.28.74 192.168.29.0 255.255.255.0 eq ftp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list FTP-test remark For testing FTP packets
access-list FTP-test extended permit tcp host 192.168.28.72 host Forestville-FTP
access-list NEO-GEO-in remark allows traffic out of NEO-GEO net
access-list NEO-GEO-in extended permit udp any host 172.16.244.173 eq domain
access-list NEO-GEO-in extended permit udp any host 172.16.50.17 eq domain
access-list NEO-GEO-in extended permit udp any host 172.16.10.134 eq domain
access-list NEO-GEO-in extended permit tcp host 192.168.29.13 host 192.168.28.74 eq ftp
access-list NEO-GEO-in extended permit tcp host 192.168.29.11 host 192.168.28.74 eq ftp
access-list NEO-GEO-in extended permit tcp host 192.168.29.23 host 192.168.28.74 eq ftp
access-list NEO-GEO-in extended permit tcp host 192.168.29.21 host 192.168.28.74 eq ftp
access-list NEO-GEO-in extended deny ip any 192.168.28.0 255.255.255.0
access-list NEO-GEO-in extended permit ip any any
access-list EXT-FTP-in remark allows traffic out of EXT-FTP network
access-list EXT-FTP-in extended permit ip any any
access-list SAR-no-nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list LUT-no-nat extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging trap informational
logging history notifications
logging asdm informational
logging facility 16
logging device-id hostname
logging host outside 172.16.195.171
logging host outside 172.16.167.138
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
mtu LEO-GEO 1500
mtu EXT-FTP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any unreachable outside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list exclude_from_nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (LEO-GEO) 0 access-list LUT-no-nat
nat (LEO-GEO) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.28.72 https netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
access-group NEO-GEO-in in interface LEO-GEO
access-group EXT-FTP-in in interface EXT-FTP
route outside 0.0.0.0 0.0.0.0 172.16.188.1 1
route DMZ Forestville-FTP 255.255.255.255 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 65000
http 192.168.28.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map DassVPN 500 match address toForestville
crypto map DassVPN 500 set pfs
crypto map DassVPN 500 set peer Forestville_PEER
crypto map DassVPN 500 set transform-set ESP-3DES-MD5
crypto map DassVPN 1000 match address toTSI
crypto map DassVPN 1000 set pfs
crypto map DassVPN 1000 set peer 12.13.14.15 <
crypto map DassVPN 1000 set transform-set ESP-DES-MD5
crypto map DassVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1000
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 1000
telnet timeout 60
ssh 192.168.28.0 255.255.255.0 inside
ssh Comcast-IP 255.255.255.255 outside
ssh 172.16.166.209 255.255.255.255 outside
ssh 172.16.167.110 255.255.255.255 outside
ssh timeout 60
console timeout 60
dhcpd ping_timeout 750
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.28.50 source inside prefer
tftp-server inside 192.168.28.72 DASS-ASA-Config_yyyy-mm-dd.txt
webvpn
group-policy ForestvillePolicy internal
group-policy ForestvillePolicy attributes
vpn-filter value Forestville_vpn_filter
vpn-tunnel-protocol IPSec
group-policy TSIPolicy internal
group-policy TSIPolicy attributes
vpn-filter value tsi_policy
vpn-tunnel-protocol IPSec
username admin password .ti4neGRW24q84lH encrypted privilege 15
tunnel-group 12.13.14.15 type ipsec-l2l
tunnel-group 12.13.14.15 general-attributes
default-group-policy TSIPolicy
tunnel-group 12.13.14.15 ipsec-attributes
pre-shared-key ********
tunnel-group Forestville_PEER type ipsec-l2l
tunnel-group Forestville_PEER general-attributes
default-group-policy ForestvillePolicy
tunnel-group Forestville_PEER ipsec-attributes
pre-shared-key ********
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b8ac13d60ba239ace8a3653930959ed8
: end
DASS-VPN#
11-05-2013 12:38 PM
Could you post the output of show crypto isakmp.
Do you have administrative rights at the remote end of VPN 11? if not did they give you the phase 1 and 2 configurations? If so could you post the required configurations for the remote end.
11-06-2013 02:54 PM
Do you still need assistance?
Please rate the assistance.
11-06-2013 05:03 PM
I'll post "show crypto isakmp" on Thurs. I don't have any access to the remote-end unfortunatly.
11-08-2013 05:22 AM
Output of show crypto isakmp sa:
DASS-VPN# show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 12.13.14.15
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
DASS-VPN#
=====output from debug crypto isakmp 200============
The only output I saw on IKE, was keepalives back and forth, involving the TSI VPN remote peer, 12.13.14.15. I didn't see any entries for the Forestville VPN peer, 15.16.17.18 at all.
=================================
11-08-2013 07:10 AM
Could you contact the remote site and ask them to send you the phase1 and phase2 settings (if you don't already have them).
Also if you could post a full sanitized configuration please.
11-08-2013 09:16 AM
Here's something meaningfull...
The config line:
crypto map DassVPN 500 match address toForestville
refers to an ACL, "toForestville", which allow traffic from the inside network to pass into the IPSEC tunnel. Now the next complication.. Apparently static routes 'trump' this ACL, because I have a static route that's directing the traffic over a frame-relay connection that's connected on interface "DMZ" right now, and I know it's working. SO.... It looks like the static-route is grabbing the traffic. So, one thing at a time -- let's see if we can get the tunnel to come up. --shall I just temporarily delete the static-route in order for traffic to be 'sucked into' the tunnel by virtue of the "toForestville" ACL?
Too bad I can't refer to the IPSEC tunnel as a sub-interface & include it in different-cost routing statements, like I can on Juniper SRX....
11-08-2013 12:13 PM
The static route will most definately affect the flow of traffic. The crypto ACL defines what traffic to encrypt that leaves an interface. So if there is a static route pointing in a different direction, that traffic will never enter and leave the interface with the crypto configuration. your only option in this situation is to either add a more specific route pointing out the crypto interface, or if there is no other more specific route that you can add you will need to remove that static route.
11-08-2013 12:36 PM
How to I enter a route that points down an IPSEC tunnel? Do I use the IP of the remote-peer as the 'destination gateway'? Here's the syntax of the routes I use below. This might be OK... I can have one lower-cost route that points down the IPSEC tunnel, and a higher-cost route that points down the frame-relay. When the tunnel goes away, the route will drop, and the higher-cost route wins. ....Right?
route
11-08-2013 12:48 PM
Higher cost route never wins..it is always the lower cost route which takes preference.
Your syntax looks good and DST interface being the interface that the remote network is reachable through. The destination gateway would be the next hop allong the path not the remote end. so if your ISPs IP address is 192.168.1.1 then and that is the next hop in the path to the remote network then that is your destination GW.
route outside
route DMZ
In the above config scenario the configuration with a cost of 1 will always win over the cost of 5. So traffic will never be sent out the DMZ interface in this scenario.
11-08-2013 01:07 PM
Using info from my config I pasted in, I propose the following statements:
route DMZ Forestville-FTP 255.255.255.255 192.168.1.1 5 (route that points down frame-relay)
route outside Forestville-FTP 255.255.255.255 15.16.17.18 1 (route that points down ipsec tunnel)
I read an article that showed someone routing traffic thru an IPSEC tunnel by using the remote-peer as the destination gateway. And the remote-peer IP was not part of any layer-3 network that was connected to the firewall. From a routing-statement standpoint, the next hop gateway was not on a connected-network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide