cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1182
Views
0
Helpful
7
Replies

site to site vpn issue...

IOS_support
Level 1
Level 1

 I am having issues with just the VPN to the main LAN regardless of the VLAN sub..... Can you help me? I've attached two things 1. new config 2. errors I'm encountering.  
When I ping the public IPs; the VPN messages do not seem to error and I can ping. When I try to ping from the remote network to the local network (internal IPs) then I get these messages....

: Saved

:

ASA Version 9.1(2)

!

hostname SPTASA

domain-name SPT.LOCAL

enable password LCF3phzihasrhsIb encrypted

names

!

interface GigabitEthernet0/0

 speed 100

 duplex full

 nameif Outside

 security-level 0

 ip address E.E.E.E 255.255.255.248

!

interface GigabitEthernet0/1

 speed 100

 duplex full

 nameif Inside

 security-level 100

 ip address  B.B.B.B  255.255.255.0

!

interface GigabitEthernet0/1.20

 vlan 20

 nameif SPT_DC

 security-level 100

 ip address  C.C.C.C  255.255.255.0

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup Inside

dns server-group DefaultDNS

 name-server  X.X.X.X

 domain-name SPT.LOCAL

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network SPT_Inside

 subnet B.B.B.B 255.255.255.0

 description SPT Inside Subnet

object network Inside

 subnet B.B.B.B 255.255.255.0

object network NETWORK_OBJ_B.B.B.B_24

 subnet  B.B.B.B  255.255.255.0

object network AIM_Lan

 subnet  A.A.A.A  255.255.255.0

access-list AIM_s2s_VPN extended permit ip B.B.B.B 255.255.255.0 A.A.A.A  255.255.255.0

access-list AIM_s2s_VPN extended permit icmp  B.B.B.B  255.255.255.0 A.A.A.A  255.255.255.0

access-list AIM_s2s_VPN extended permit tcp  B.B.B.B  255.255.255.0 A.A.A.A  255.255.255.0

access-list AIM_s2s_VPN extended permit udp B.B.B.B  255.255.255.0 A.A.A.A  255.255.255.0

access-list AIM_s2s_VPN extended permit ip object AIM_Lan object Inside

pager lines 24

logging enable

logging asdm debugging

mtu Outside 1500

mtu Inside 1500

mtu DMZ 1500

mtu management 1500

mtu SPT_DC 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (Inside,Outside) source dynamic any interface

nat (Outside,Inside) source dynamic any interface

nat (SPT_DC,Outside) source dynamic any interface

nat (Outside,SPT_DC) source dynamic any interface

nat (Inside,Outside) source static Inside Inside destination static AIM_Lan AIM_Lan

route Outside 0.0.0.0 0.0.0.0 X.X.X.X  1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http B.B.B.B 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption 3des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption des

 protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map AIM_VPN_MAP 1 match address AIM_s2s_VPN

crypto map AIM_VPN_MAP 1 set peer D.D.D.D

crypto map AIM_VPN_MAP 1 set ikev1 transform-set ESP-AES-128-SHA

crypto map AIM_VPN_MAP interface Outside

crypto ca trustpool policy

crypto ikev1 enable Outside

crypto ikev1 policy 1

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

!

dhcpd address B.B.B..2-B.B.B.154 Inside

dhcpd enable Inside

!

dhcpd address  B.B.B.2-B.B.B.154 SPT_DC

dhcpd enable SPT_DC

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

tunnel-group D.D.D.D type ipsec-l2l

tunnel-group D.D.D.D  ipsec-attributes

 ikev1 pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbSPT

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:244ab793e694fe0eff06ef37cd8bd56c

: end

Errors I am getting:

3Jul 22 201413:46:58     Group = X.X.X.X, IP = X.X.X.X, Removing peer from correlator table failed, no match!
4Jul 22 201413:46:58     Group = X.X.X.X, Username = X.X.X.X, IP = X.X.X.X, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:04s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
5Jul 22 201413:46:58     Group = X.X.X.X, IP = X.X.X.X, Session is being torn down. Reason: crypto map policy not found
3Jul 22 201413:46:58     Group = X.X.X.X, IP = X.X.X.X, QM FSM error (P2 struct &0x00007fff9fd2ed70, mess id 0xf088531b)!
3Jul 22 201413:46:58     

Group = X.X.X.X, IP = X.X.X.X, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface Outside

 

7 Replies 7

Hi , 

 You need to correct following things , 

1) You crypto map acl should be same on both side . check the same with your peer location 

crypto map AIM_VPN_MAP 1 match address AIM_s2s_VPN

access-list AIM_s2s_VPN extended permit ip B.B.B.B 255.255.255.0 A.A.A.A  255.255.255.0

access-list AIM_s2s_VPN extended permit icmp  B.B.B.B  255.255.255.0 A.A.A.A  255.255.255.0

access-list AIM_s2s_VPN extended permit tcp  B.B.B.B  255.255.255.0 A.A.A.A  255.255.255.0

access-list AIM_s2s_VPN extended permit udp B.B.B.B  255.255.255.0 A.A.A.A  255.255.255.0

access-list AIM_s2s_VPN extended permit ip object AIM_Lan object Inside

2) You are doing PATing for any traffic moving out of outside interface , you should have nat 0 /nonat between your peer location . 

 

Let me know if you need any assistance 

 

HTH

Sandy

I have all of #1 correct.

Problem now is; tunnel is up remote network (A.A.A.A) can ping/access across the tunnel. This network doesn't have an ASA

But the ASA side (B.B.B.B.)  cannot ping/access the remote network (A.A.A.A)... When pinging it looks as if ASA is 'seeing' it, but I am also getting an error on the VPN/Trace Packet about configured rule issue.

Hi ,

I am suspecting Problem on Crypto MAP ACL . 

Could you please join on below webex

https://meetings.webex.com/collabs/meetings/join?uuid=M5OB3OP4MVZ7W34FKYR2P36PFD-512H

 

HTH

Sandy

Says the meeting has ended... I setup a join.me  ~ 399-913-155

 

Could you please open it again ??

 

Sorry haveto do another one 620 849 543

Hi,

        I have document attached which should support your requirement .

 

HTH

Sandy ,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: