Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5505 and RVS4000

I am having all sorts of trouble connecting a Cisco RVS4000 to a Cisco ASA5505 over IPSec... I have used the "site to site" vpn wizard, I am new at this time so any advise would be good. I have a fress "factory reset" on my asa 5505...

11 REPLIES

ASA 5505 and RVS4000

Please post config from both devices, I can look into for you.

thanks

New Member

ASA 5505 and RVS4000

ASA 5505 Config

: Saved
:
ASA Version 8.4(3) 
!
hostname ciscoasa
enable password Yn8Esq3NcXIHL35v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.0.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Office
 subnet 192.168.1.0 255.255.255.0
object network Remote
 subnet 10.0.0.0 255.0.0.0
access-list outside_cryptomap extended permit ip object Remote object Office 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (outside,outside) source static Remote Remote destination static Office Office no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 71.65.82.167 
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 ipsec-over-tcp port 10000 
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 10.0.0.5-10.0.0.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_71.65.82.167 internal
group-policy GroupPolicy_71.65.82.167 attributes
 vpn-tunnel-protocol ikev2 
tunnel-group 71.65.82.167 type ipsec-l2l
tunnel-group 71.65.82.167 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:99c9772034aa8cbd746af5df96334d8f
: end
no asdm history enable

rvs 4000 - the blank box in local with red is where i enter my site b wan ip and in the remote is where i setup my site a wan.

Re: ASA 5505 and RVS4000

Hi there,

Please follow this change on your ASA

Please remove the old nat and add the new nat as shown below.

nat (inside,outside) source static Remote Remote destination static Office Office no-proxy-arp route-lookup

Please remove the old config and add the new tunnel-group as shown below
tunnel-group 71.65.82.167 ipsec-attributes
ikev1 pre-shared-key hello-sir-your-key-goes-here

Please add a static route on the FW.
route outside 192.168.1.0 255.255.255.0 xxx.xxx.xxx.xxx  X is your Firewall default-gateway.

Let me know, how this coming along.

thanks

Rizwan Rafeek

New Member

Re: ASA 5505 and RVS4000

I ran into a problem here:

route outside 192.168.1.0 255.255.255.0 xxx.xxx.xxx.xxx  X is your Firewall default-gateway.

Error:

ciscoasa(config)# route outside 192.168.1.0 255.255.255.0 10.0.0.1

%Invalid next hop address, it belongs to one of our interfaces

So I changed it to 10.0.0.0 and it accepted it... Here is the RVS 4000 Log with errors:

Mar 4 09:11:10 - [VPN Log]: shutting down

Mar 4 09:11:10 - [VPN Log]: forgetting secrets

Mar 4 09:11:10 - [VPN Log]: "1": deleting connection

Mar 4 09:11:10 - [VPN Log]: "1" #2: deleting state (STATE_MAIN_I1)

Mar 4 09:11:10 - [VPN Log]: ERROR: "1": pfkey write() of SADB_X_DELFLOW message 6 for flow int.0@0.0.0.0 failed. Errno 14: Bad address

Mar 4 09:11:10 - [VPN Log]: | 02 0f 00 0b 0e 00 00 00 06 00 00 00 11 26 00 00

Mar 4 09:11:10 - [VPN Log]: | 03 00 15 00 00 00 00 00 02 00 00 00 c0 a8 01 00

Mar 4 09:11:10 - [VPN Log]: | 00 00 00 00 84 0b 00 40 03 00 16 00 00 00 00 00

Mar 4 09:11:10 - [VPN Log]: | 02 00 00 00 0a 00 00 00 b0 25 01 00 25 00 00 00

Mar 4 09:11:10 - [VPN Log]: | 03 00 17 00 00 00 00 00 02 00 00 00 ff ff ff 00

Mar 4 09:11:10 - [VPN Log]: | 4e 53 4d 49 54 20 69 6e 03 00 18 00 00 00 00 00

Mar 4 09:11:10 - [VPN Log]: | 02 00 00 00 ff 00 00 00 20 65 78 70 00 00 00 00

Mar 4 09:11:11 - [VPN Log]: "1": unroute-client output: 0

Mar 4 09:11:11 - [VPN Log]: shutting down interface ipsec0/eth1 71.65.82.167:4500

Mar 4 09:11:11 - [VPN Log]: shutting down interface ipsec0/eth1 71.65.82.167:500

Mar 4 09:11:15 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)

Mar 4 09:11:15 - [VPN Log]: @(#) built on May 17 2011:12:00:43:

Mar 4 09:11:15 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on

Mar 4 09:11:15 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1

Mar 4 09:11:15 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)

Mar 4 09:11:15 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Mar 4 09:11:15 - [VPN Log]: starting up 1 cryptographic helpers

Mar 4 09:11:15 - [VPN Log]: started helper pid=10398 (fd:5)

Mar 4 09:11:15 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star

Mar 4 09:11:15 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'

Mar 4 09:11:15 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'

Mar 4 09:11:15 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'

Mar 4 09:11:15 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'

Mar 4 09:11:15 - [VPN Log]: Warning: empty directory

Mar 4 09:11:15 - [VPN Log]: added connection description "1"

Mar 4 09:11:15 - [VPN Log]: listening for IKE messages

Mar 4 09:11:15 - [VPN Log]: adding interface ipsec0/eth1 71.65.82.167:500

Mar 4 09:11:15 - [VPN Log]: adding interface ipsec0/eth1 71.65.82.167:4500

Mar 4 09:11:15 - [VPN Log]: loading secrets from "/etc/ipsec.secrets"

Mar 4 09:11:17 - [VPN Log]: "1": route-client output: 0

Mar 4 09:11:17 - [VPN Log]: "1" #1: initiating Main Mode

Mar 4 09:12:27 - [VPN Log]: "1" #1: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message

Here is the show config from the ASA after I made the changes you suggested.:

: Saved
:
ASA Version 8.4(3) 
!
hostname ciscoasa
enable password Yn8Esq3NcXIHL35v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.0.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Office
 subnet 192.168.1.0 255.255.255.0
object network Remote
 subnet 10.0.0.0 255.0.0.0
access-list outside_cryptomap extended permit ip object Remote object Office 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (outside,outside) source static Remote Remote destination static Office Office no-proxy-arp route-lookup
nat (inside,outside) source static Remote Remote destination static Office Office no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
route outside 192.168.1.0 255.255.255.0 10.0.0.0 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 71.65.82.167 
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000 
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 10.0.0.5-10.0.0.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_71.65.82.167 internal
group-policy GroupPolicy_71.65.82.167 attributes
 vpn-tunnel-protocol ikev1 ikev2 
tunnel-group 71.65.82.167 type ipsec-l2l
tunnel-group 71.65.82.167 general-attributes
 default-group-policy GroupPolicy_71.65.82.167
tunnel-group 71.65.82.167 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:9e86d6efd02e5d026a6dedd0a9eb4e11
: end
no asdm history enable

Is a setting wrong on the RVS? Its just configured by the web etc, but it seems like the ASA is blocking it? Any way of giving me the commands to start from scratch to set this up from command line?  Perhaps I should reset and start from scratch? I appreciate your time in helping me get this going.

New Member

Re: ASA 5505 and RVS4000

Ok i mis-read and missed where you said to delete the old NAT and Config... I did so in the ASDM  and saved it and then went to the command line and re-added NAT with no problem but when i goto re-create the tunnel-group i get this

ciscoasa(config)# tunnel-group 71.65.82.167 ipsec-attributes

                                                                 ^

ERROR: % Invalid input detected at '^' marker.

ciscoasa(config)#

?

Re: ASA 5505 and RVS4000

You must create the tunnel-group first as shown below...

tunnel-group 71.65.82.167 type ipsec-l2l

and then

tunnel-group 71.65.82.167 ipsec-attributes

Re: ASA 5505 and RVS4000

Please remove these highlighted lines.

tunnel-group 71.65.82.167 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

"Is a setting wrong on the RVS?" I have never worked on RVS devices, but it seem to be ok.

Its just configured by the web etc, but it seems like the ASA is blocking it? not really but configuration is not correct yet on ASA.

"Perhaps I should reset and start from scratch?" not needed.

initiate ping behind the ASA from a PC to remote segment available ip address.

Let me know the results.

thanks

New Member

Re: ASA 5505 and RVS4000

The networks that I created "Office" Do they need to be 192.168.1.1/255.255.255.0 or 192.168.1.0/255.255.255.0

and Remote (Asa) 10.0.0.0/255.0.0.0 or 10.0.0.1/255.0.0.0

Re: ASA 5505 and RVS4000

"The networks that I created "Office" Do they need to be 192.168.1.1/255.255.255.0 or 192.168.1.0/255.255.255.0

and Remote (Asa) 10.0.0.0/255.0.0.0 or 10.0.0.1/255.0.0.0"

I am aware of that.

Your naming convention does not match what is configured on the FW ASA.

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.0.0.0

object network Remote

subnet 10.0.0.0 255.0.0.0

Obviously 10.0.0.1 is local segment on mask /8

object network Office

subnet 192.168.1.0 255.255.255.0

object names are for human understanding but syntax is used to carry the config has to be correct.

Can you establish the tunnel?

thanks

New Member

Re: ASA 5505 and RVS4000

I was not able to establish a tunnel, but I did a reset and changed some things up, and I believe I am much closer here...

I reset the ASA 5505 to an inside address of 192.168.1.1 / 255.255.255.0

Firewall Network Object: 329 (My Office) is 192.168.1.0 / 255.255.255.0

Firewall Network Object 64 (Remote Office) is 192.168.2.0 / 255.255.255.0

The remote office (RVS4000) is kicking this back now:

adding interface ipsec0/eth1 71.65.82.167:500

Mar 4 13:50:59 - [VPN Log]: adding interface ipsec0/eth1 71.65.82.167:4500

Mar 4 13:50:59 - [VPN Log]: loading secrets from "/etc/ipsec.secrets"

Mar 4 13:51:01 - [VPN Log]: "Remote": route-client output: 0

Mar 4 13:51:01 - [VPN Log]: "Remote" #1: initiating Main Mode

Mar 4 13:51:01 - [VPN Log]: packet from 174.102.52.148:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

Mar 4 13:51:01 - [VPN Log]: packet from 174.102.52.148:500: received and ignored informational message

Mar 4 13:51:11 - [VPN Log]: packet from 174.102.52.148:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

Mar 4 13:51:11 - [VPN Log]: packet from 174.102.52.148:500: received and ignored informational message

At the remote site with the RVS4000 I can ping the ASA and get a response. From my office I ping the remote office and I get no response.

Here is my new ASA Config:

: Saved
:
ASA Version 8.4(3) 
!
hostname ciscoasa
enable password Yn8Esq3NcXIHL35v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 329
 subnet 192.168.1.0 255.255.255.0
object network 64
 subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object 329 object 64 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static 329 329 destination static 64 64 no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 71.65.82.167 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_71.65.82.167 internal
group-policy GroupPolicy_71.65.82.167 attributes
 vpn-tunnel-protocol ikev1 
tunnel-group 71.65.82.167 type ipsec-l2l
tunnel-group 71.65.82.167 general-attributes
 default-group-policy GroupPolicy_71.65.82.167
tunnel-group 71.65.82.167 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:e4a02e8bfc561ad76dc0a8967e7c55b9
: end
no asdm history enable
New Member

Re: ASA 5505 and RVS4000

I disabled keep alives and the vpn tunnel is now connected however I cannot ping anything on the other side. from the 192.168.1.1 I can ping to 192.168.2.1 but from 192.168.2.1 i cannot ping to 192.168.1.1

2861
Views
0
Helpful
11
Replies
CreatePlease to create content