Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 Site to Site

Orginal plan is one uses DYnamic IP and the other uses Statice, but since the dynamic is not working I tried to configure static on both ends but it still will not come up.

Stuck on Pahse 1 - I have used PIX and set them up without any problem.

Here are the configs

#########

REMOTE A

#########

isakmp enable outside

isakmp identity auto

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 172.16.0.0 255.255.240.0

crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac

crypto map StaticMap 20 match address outside_cryptomap_20

crypto map StaticMap 20 set peer REMOTEIP

crypto map StaticMap 20 set transform-set Site2Site

crypto map StaticMap 20 set pfs group2 [Tried with and without]

tunnel-group REMOTEIP type ipsec-l2l

tunnel-group REMOTEIP ipsec-attributes

pre-shared-key PRESHARE

crypto map StaticMap interface outside

access-list nonat extended permit ip 192.168.12.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list nonat extended permit ip 192.168.12.0 255.255.255.0 172.16.0.0 255.255.240.0

nat (inside) 0 access-list nonat

#########

REMOTE B

#########

isakmp enable outside

isakmp identity auto

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

access-list outside_cryptomap_20 permit ip 10.0.3.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 172.16.0.0 255.255.240.0 192.168.12.0 255.255.255.0

crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac

crypto map StaticMap 20 match address outside_cryptomap_20

crypto map StaticMap 20 set peer REMOTEIP

crypto map StaticMap 20 set transform-set Site2Site

crypto map StaticMap 20 set pfs group2 [Tried with and without]

tunnel-group REMOTEIP type ipsec-l2l

tunnel-group 99.REMOTEIP ipsec-attributes

pre-shared-key PRESHARE

crypto map StaticMap interface outside

access-list nonat extended permit ip 10.0.3.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list nonat extended permit ip 172.16.0.0 255.255.240.0 192.168.12.0 255.255.255.0

nat (inside) 0 access-list nonat

Double check the config, second eyes is always helpfull?

5 REPLIES
New Member

Re: ASA 5510 Site to Site

#####################################

Here is a part of the debug: REMOTE B

#####################################

Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, IKE MM Responder FSM error history (struct &0x351ecd8) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent

Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, IKE SA MM:1383969c terminating: flags 0x01000002, refcnt 0, tuncnt 0

Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, sending delete/delete with reason message

Aug 18 07:18:25 [IKEv1]: IP = REMOTEIP, Removing peer from peer table failed, no match!

Aug 18 07:18:25 [IKEv1]: IP = REMOTEIP, Error: Unable to remove PeerTblEntry

Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, IKE MM Responder FSM error history (struct &0x351f478) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent

Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, IKE SA MM:c8b7e093 terminating: flags 0x01000002, refcnt 0, tuncnt 0

Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, sending delete/delete with reason message

Aug 18 07:18:26 [IKEv1]: IP = REMOTEIP, Removing peer from peer table failed, no match!

Aug 18 07:18:26 [IKEv1]: IP = REMOTEIP, Error: Unable to remove PeerTblEntry

I am starting to think it has to do woth trying XAUTH but ASA does not use isa key .......... noxauth

Bronze

Re: ASA 5510 Site to Site

the problem could be with the encryption you use on the isakmp part. You specified 3des on your transform-set but you are using aes on the isakmp.

you should have

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

New Member

Re: ASA 5510 Site to Site

Actually that is not the issue, the issue was a limitation which only allows 10 inside host to connect. The way around this was to acl the inside interface to permit only essential traffic from specific clients/Servers.

Bronze

Re: ASA 5510 Site to Site

interesting...I will think that your encryption would have to match. Well, I learn something new today. Thanks indeed.

New Member

Re: ASA 5510 Site to Site

There are two phases. Phase 1 was using AES and Phase 2 is using 3DES. As long as both sides of the tunnel match Phase1 in this case AES and Phase2 which is 3DES then the tunnel will come up.

1290
Views
0
Helpful
5
Replies