10-16-2010 11:36 AM
Hello, I have an Asa5505 that I am trying to configure it to be a site to site vpn. I can get to the internet behind the asa and I can connect to the VPN, so it must be an issue with just the way that I am trying to connect site to site. IP of the VPN is 1.1.1.1 and my group is test and username test1. When I try to go to http://10.241.113.194 I cannot access the page. IP is changed for security. Thanks for your help in advance.
Here is my config....ASA Version 7.2(3)
!
hostname ciscoasa
domain-name comcast.net
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 4Wtw78CIa2UJQxhM encrypted
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 205.171.2.65
name-server 205.171.3.65
domain-name comcast.net
access-list Home_Users_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended deny ip any host 207.225.227.242
access-list inside_nat0_outbound extended deny ip 192.168.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit ip any 192.168.1.64 255.255.255.192
access-list Home_Users_splitTunnelAcl_1 standard permit any
access-list Home_Users_splitTunnelAcl_2 standard permit any
access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool hoe_addressed 192.168.1.75-192.168.1.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map0 1 match address outside_1_cryptomap
crypto map outside_map0 1 set pfs
crypto map outside_map0 1 set peer 1.1.1.1
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
!
vpnclient server 1.1.1.1
vpnclient mode client-mode
vpnclient vpngroup test password ********
vpnclient username test1 password ********
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:98ac6f4e89af2535963c6a2de08d9132
: end
10-20-2010 10:37 PM
Yes, you would need to remove all the crypto map configuration as it is not needed, and also the nat (inside) 0 command.
You would like to use the sample configuration provided earlier, and configure it in the same manner. Check the ASA hardware client configuration part. All the crypto configuration should not be there if you are configuring your ASA as hardware easy vpn client.
10-21-2010 08:18 PM
Hello Jennifer,
Your link seems to have led me to some success.
Here is my config now...
ciscoasa# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.199 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp identity hostname
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpnclient server 1.1.1.1
vpnclient mode network-extension-mode
vpnclient vpngroup Danny password ********
vpnclient username Dan password ********
vpnclient enable
!
class-map inspection_default
match default-inspection-traffic
!
prompt hostname context
Cryptochecksum:672d2b1d01af4dd38b2158f6d45548af
: end
show crypto ipsec sa
interface: outside
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.111
access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 2.2.2.2 255.255.255.128
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.128/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.111/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 6F624F5D
inbound esp sas:
spi: 0x474B8C4E (1196133454)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28162
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x6F624F5D (1868713821)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28162
IV size: 8 bytes
replay detection support: Y
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.111
access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 15, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.111/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 1FE08F0B
inbound esp sas:
spi: 0x4129BC91 (1093254289)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28162
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x1FE08F0B (534810379)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28162
IV size: 8 bytes
replay detection support: Y
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.111
access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 192.110.68.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.110.68.0/255.255.255.0/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.111/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 33CA67F4
inbound esp sas:
spi: 0xF8733CA2 (4168301730)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28157
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x33CA67F4 (868902900)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28157
IV size: 8 bytes
replay detection support: Y
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.111
access-list _vpnc_acl permit ip host 192.168.1.111 host 1.1.1.1
local ident (addr/mask/prot/port): (192.168.1.111/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.111/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 06F98D7F
inbound esp sas:
spi: 0xC42B8C7A (3291188346)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x06F98D7F (117017983)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
10-21-2010 09:27 PM
Excellent, definitely a good sign so far.
I saw that you have changed the mode from Client mode to Network Extension mode on your configuration. Can you please confirm whether it should be client mode or Network Extension mode?
For Network Extension mode, 192.168.1.0/24 subnet needs to be unique from the headend perspective, ie: 192.168.1.0/24 should not exist on the headend LAN, or any other remote LAN. If it does, then you would need to change it to Client mode.
The command is the following:
Either: vpnclient mode client-mode OR/ vpnclient mode network-extension-mode
(Pls kindly configure it accordingly).
You also want to remove the following default gateway as it is not correct:
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
If you decided to use Network Extension mode as 192.168.1.0/24 is unique within your topology, then on the head end, you would need to make sure that you configured NAT exemption for traffic sourcing from Headend LAN towards 192.168.1.0/24
Hope that helps.
10-21-2010 11:00 PM
Deleted the line that you advised. I use the 10.241.113.0 subnet at headquarters, and on the sites I would like to use something differnt. In this case 192.168.1.0. That is why I changed to net-work-extension mode. Let me know if you think that I am wrong in doing so.
Unofrunately, I am limited to the web interface for the VPN 3000 and would like to see if there is a way to set this up with just that.
Is there anything else that I need to change to make this work, it still does not seem to work. Thanks for your help as always!
10-22-2010 03:02 AM
Base on that output, the issue is on your VPN Concentrator, not on the ASA. You might want to check the VPN Concentrator configuration.
On the VPN Concentrator, check if you have route to 192.168.1.0/24 pointing towards the public interface, not private interface.
Can you also check the SA on the VPN Concentrator for this particular vpn tunnel? I am assuming that you will see traffic decrypt counter increasing but encrypt counter will be zero? Please double check the status on the Concentrator.
10-22-2010 11:25 AM
I think I have fixed the routing issues on the VPN. Here is my new show ipsec sa
ciscoasa# sh ipsec sa
interface: outside
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.110
access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.241.113.0/255.255.255.0/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.110/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 0E64ABB5
inbound esp sas:
spi: 0x38CF9DA2 (953130402)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28788
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x0E64ABB5 (241478581)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28788
IV size: 8 bytes
replay detection support: Y
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.110
access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 192.0.0.0 255.0.0.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.0.0.0/255.0.0.0/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.110/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 6E0E3359
inbound esp sas:
spi: 0xBE2A9BF7 (3190463479)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28788
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x6E0E3359 (1846424409)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28788
IV size: 8 bytes
replay detection support: Y
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.110
access-list _vpnc_acl permit ip host 192.168.1.110 host 1.1.1.1
local ident (addr/mask/prot/port): (192.168.1.110/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.110/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 12BC9395
inbound esp sas:
spi: 0xD3E78BC2 (3555167170)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28780
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x12BC9395 (314348437)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28780
IV size: 8 bytes
replay detection support: Y
10-25-2010 03:52 AM
You mentioned that you can see your username with 512 bytes rx and I assume that you are seeing that on the VPN Concentrator. Base on that information and also the output of "show ipsec sa" on the ASA, the traffic does not seem to reach the ASA. Is there any firewall or access-list in front of the ASA or VPN Concentrator that might be blocking the IPSec tunnel? You would need to allow ESP protocol or UDP/4500.
10-25-2010 05:01 PM
I do not think so. It is behind a WRT600n with DDWRT firmware. I forwarded ports 4500, 500 and 50 through 53 to the ASA at the ip of 192.168.1.109 as that is the IP that was dynamically assigned to the ASA. (But I also tried 192.168.1.199, just to make sure) Also VPN passthrough is also enabled.
Yes, my username is on the concentrator and everytime that I ping 10.241.113.194 I can se the rx on my username on the concentrator increase. The tx still remains at 0.
Here is my show IPsec sas
ciscoasa# show ipsec sa
interface: outside
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.109
access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 192.0.0.0 255.0.0.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.0.0.0/255.0.0.0/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.109/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 3FC451FD
inbound esp sas:
spi: 0x4E878CBB (1317506235)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 2, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3FC451FD (1069830653)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 2, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.109
access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.241.113.0/255.255.255.0/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.109/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 17EDE630
inbound esp sas:
spi: 0xCF8A99CD (3481967053)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 2, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x17EDE630 (401466928)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 2, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.109
access-list _vpnc_acl permit ip host 192.168.1.109 host 1.1.1.1
local ident (addr/mask/prot/port): (192.168.1.109/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.109/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 2B2AF1FA
inbound esp sas:
spi: 0x0790ABBD (126921661)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 2, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28144
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x2B2AF1FA (724234746)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 2, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28144
IV size: 8 bytes
replay detection support: Y
Here is my show run
ciscoasa# show run
: Saved
:ASA Version 7.2(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.199 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp identity hostname
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpnclient server 1.1.1.1
vpnclient mode network-extension-mode
vpnclient vpngroup Danny password ********
vpnclient username Dan password ********
vpnclient enable
!
class-map inspection_default
match default-inspection-traffic
!
prompt hostname context
Cryptochecksum:bec0415f99c134868f817aed754c6c2b
: end
Thanks so much for your help Jennifer, I greatly appreciate it. Let me know if you have any other suggestions. Have a good day!
10-25-2010 09:29 PM
Hi Dan,
Based on the output on the ASA, ie: " #pkts encaps: 10" and 0 pkts decaps, and same on the VPN Concentrator, ie: encaps are increasing however decaps are still 0, that means that both ends are encrypting the traffic, however, both ends do not receive the encrypted packets therefore the decaps counter remain zero, ie: nothing to be decrypted because both end did not receive the encrypted packet.
As advised, it is definitely not the VPN end point issue (not the ASA nor the VPN Concentrator), however, the network device in between. Please check if your WRT600n are forwarding traffic out and in correct, especially on UDP port 4500. Please kindly make sure that port being forwarded has UDP being forwarded for port 4500. The rest of the other ports are OK so please don't make any changes on other ports.
10-25-2010 11:56 PM
Jennifer,
Thanks for all of your help. I was just checking to see if port 4500 was open and it is on my router, but i tried using an online port scanner to see if udp 4500 is open, and it seems to be closed. I am going to try at a different location tomorow.
Thanks for your help Jennifer, I really appreciate your help! Have a good night!
10-26-2010 10:24 PM
So I tried it at my business connection and it did the same thing. Still able to connect, the vpn light still illuminates, but still not able to ping 10.241.113.194. I can, however still connect with the vpnclient software, and still can ping 10.241.113.194 when connected with the client software. I tried forwarding port 4500 and that did not change the result. Is there a way that I could verify that port 4500 is open?
This was in the show ipsec sa, Could this have something to do with our issue?
dynamic allocated peer ip: 0.0.0.0
ciscoasa# ping 10.241.113.194
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.241.113.194, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
10-28-2010 05:17 AM
Great, thanks for posting the ping from ASA.
You would need to ping from the inside interface on the ASA as follows:
ciscoasa# ping inside 10.241.113.194
You can't just perform: "ping 10.241.113.194" because it's sourcing the ping from the outside interface of the ASA which is not part of crypto ACL.
10-28-2010 04:07 PM
Hello Jennifer,
Thanks for your reply. Unfortunately that did not work for me.
ciscoasa# ping inside 10.241.113.194
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.241.113.194, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa#
I found it odd that when I ping 10.241.113.194 the " #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4" increases, but when I go ping inside 10.241.113.194 those numbers remain the same.
I also tried to ping the concentrators internal ip with the same result.
I am adding these just incase they are of any help..
ciscoasa# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : user Role : initiator
Rekey : no State : AM_ACTIVE
ciscoasa# show ipsec sa
interface: outside
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.103
access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 192.0.0.0 255.0.0.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.0.0.0/255.0.0.0/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.103/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 2E4E764C
inbound esp sas:
spi: 0xCFC253FE (3485619198)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 27728
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x2E4E764C (776894028)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 27728
IV size: 8 bytes
replay detection support: Y
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.103
access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.241.113.0/255.255.255.0/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.103/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 75352F6A
inbound esp sas:
spi: 0x9F57847E (2673312894)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 27786
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x75352F6A (1966419818)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 27786
IV size: 8 bytes
replay detection support: Y
ciscoasa# show vpnclient
LOCAL CONFIGURATION
vpnclient server 1.1.1.1
vpnclient mode network-extension-mode
vpnclient vpngroup Danny password ********
vpnclient username Dan password ********
vpnclient enable
DOWNLOADED DYNAMIC POLICY
Current Server : 1.1.1.1
Primary DNS : 8.8.8.8
Secondary DNS : 4.2.2.2
PFS Enabled : No
Secure Unit Authentication Enabled : No
User Authentication Enabled : No
Split Tunnel Networks : 10.241.113.0/255.255.255.0 192.0.0.0/255.0.0.0
Backup Servers : None
ciscoasa# show interface
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001e.be9e.592a, MTU 1500
IP address 192.168.1.199, subnet mask 255.255.255.0
Traffic Statistics for "inside":
17646 packets input, 2877146 bytes
24 packets output, 2112 bytes
13850 packets dropped
1 minute input rate 1 pkts/sec, 134 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 1 pkts/sec, 217 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001e.be9e.592a, MTU 1500
IP address 192.168.1.103, subnet mask 255.255.0.0
Traffic Statistics for "outside":
17996 packets input, 2906644 bytes
1905 packets output, 88273 bytes
16729 packets dropped
1 minute input rate 1 pkts/sec, 136 bytes/sec
1 minute output rate 0 pkts/sec, 18 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 1 pkts/sec, 219 bytes/sec
5 minute output rate 0 pkts/sec, 9 bytes/sec
5 minute drop rate, 1 pkts/sec
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001e.be9e.5922, MTU not set
IP address unassigned
18020 packets input, 3233635 bytes, 0 no buffer
Received 1672 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
9 switch ingress policy drops
1905 packets output, 151219 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001e.be9e.5923, MTU not set
IP address unassigned
17661 packets input, 3196956 bytes, 0 no buffer
Received 1674 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
24 packets output, 2616 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
10-24-2010 10:01 AM
Anyone able to help me finish solving my issue? I Would greatly appreciate the help, and already greatly appreciate all the help that I have gotten! Thank you so much, this community is awesome.
10-31-2010 09:31 AM
Any able to help me solve this?
Thanks for your help, I appreciate it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide