02-20-2011 10:10 PM
Hi all,
I have an issue with IPSEC VPN between ASA and cisco router
I think there is a problem in phase 2
Can you please guide me where could be the problem.
I suspect ACL issues on router but i am unable to rectify. ACLs on router is specified in bottom
Looking forward for your help
Phase 1 is like that
Cisco_router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE
and on ASA
ASA# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 78.x.x.41
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Phase 2 on ASA
ASA# sh crypto ipsec sa
interface: Outside
Crypto map tag: Outside_map, seq num: 20, local addr: 87.x.x.4
access-list Outside_cryptomap_20 permit ip 172.19.209.0 255.255.255.0 172.
19.194.0 255.255.255.0
local ident (addr/mask/prot/port): (172.19.209.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
current_peer: 78.x.x.41
#pkts encaps: 8813, #pkts encrypt: 8813, #pkts digest: 8813
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8813, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 87.x.x.4 , remote crypto endpt.: 78.x.x.41
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C96393AB
inbound esp sas:
spi: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 7, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/3025)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 7, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4274994/3023)
IV size: 8 bytes
replay detection support: Y
Phase 2 on cisco router
protected vrf: (none)
local ident (addr/mask/prot/port): (172.19.209.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 78.x.x.41, remote crypto endpt.: 87.x.x.4
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 8947, #pkts decrypt: 8947, #pkts verify: 8947
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 78.x.x.41, remote crypto endpt.: 87.x.x.4
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0x3E9D820B(1050509835)
inbound esp sas:
spi: 0xC96393AB(3378746283)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 29, flow_id: Motorola SEC 1.0:29, crypto map: mycryptomap
sa timing: remaining key lifetime (k/sec): (4393981/1196)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3E9D820B(1050509835)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 30, flow_id: Motorola SEC 1.0:30, crypto map: mycryptomap
sa timing: remaining key lifetime (k/sec): (4394007/1196)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
configuration related to VPN is below in cisco router
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 log
access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 log
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 log
access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 log
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log
access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 log
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 log
access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 log
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 log
access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 log
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log
access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 log
route-map nonat permit 10
match ip address 105
crypto ipsec transform-set mytransformset esp-3des esp-md5-hmac
crypto map mycryptomap 100 ipsec-isakmp
set peer 87.x.x.4
set transform-set mytransformset
match address 101
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxx2011 address 87.x.x.4
Solved! Go to Solution.
02-21-2011 09:50 PM
Your permit statement for ACL 105 needs to be at the bottom so it is last to match as it is the most general ACL.
You currently have:
Extended IP access list 105
5 permit ip 172.19.194.0 0.0.0.255 any (18585 matches)
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 log
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 log
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log
It should be:
Extended IP access list 105
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 log
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 log
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log
60 permit ip 172.19.194.0 0.0.0.255 any (18585 matches)
To remove it and add it to the bottom:
ip access-list extended 105
no 5
60 permit ip 172.19.194.0 0.0.0.255 any
Then "clear ip nat trans *"
and it should work now.
02-20-2011 10:33 PM
Absolutely correct, access-list on the router is one of the issue. It seems that the access-list has been configured bidirectionally, which is incorrect. And also the access-list needs to be mirror image between the ASA end and the router end.
The crypto ACl on the router should say: permit from source:
And the crypto ACL on the ASA should say: permit from source:
Can you please advise which subnet behind the ASA that you would like to encrypt towards the router, and similarly which subnets behind the router that you would like to encrypt towards the ASA.
Similarly, the route-map that deny the NAT, should only deny from router local subnet towards ASA remote subnet.
Lastly, the issue seems to be the ASA LAN either does not reply OR/ the NAT exemption has been incorrectly configured on the ASA.
Please kindly share the full config from both ASA and router so we can further help.
02-21-2011 12:13 AM
Thank you very much for your support
Subnets behind ASAs are
172.19.203.0/24
172.19.206.0/24
172.19.209.0/24
And subnet behind Router is 172.19.194.0/24
Below is the related configurations on ASA and router
Be informed that i made configuration on ASA using VPN site-to-site Wizard
ASA Config
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map Outside_map 20 match address Outside_cryptomap_20_1
crypto map Outside_map 20 set peer 78.x.x.41
crypto map Outside_map 20 set transform-set ESP-3DES-MD5
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 78.x.x.41 type ipsec-l2l
tunnel-group 78.x.x.41 ipsec-attributes
pre-shared-key *
access-list Outside_cryptomap_20_1 line 1 extended permit ip 172.19.206.0 255.255.255.0 172.19.194.0 255.255.255.0 (hitcnt=0)
access-list Outside_cryptomap_20_1 line 2 extended permit ip 172.19.209.0 255.255.255.0 172.19.194.0 255.255.255.0 (hitcnt=5)
access-list Outside_cryptomap_20_1 line 3 extended permit ip 172.19.203.0 255.255.255.0 172.19.194.0 255.255.255.0 (hitcnt=0)
access-list Inside_nat0_outbound_V1 extended permit ip 172.19.206.0 255.255.255.0 172.19.194.0 255.255.255.0
access-list Inside_nat0_outbound_V1 extended permit ip 172.19.209.0 255.255.255.0 172.19.194.0 255.255.255.0
access-list Inside_nat0_outbound_V1 extended permit ip 172.19.203.0 255.255.255.0 172.19.194.0 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound_V1
Router config
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxx_2011 address 87.x.x.34
!
crypto isakmp client configuration group xxx
key xxxnet
dns x.x.x.x x.x.x.x
include-local-lan
dhcp server 172.19.194.1
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group xxx
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set mytransformset esp-3des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 60
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto map mycryptomap 100 ipsec-isakmp
set peer 87.x.x.34
set transform-set mytransformset
match address 101
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid xxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 78.x.x.65 255.255.255.252 secondary
ip address 172.19.194.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname 24231610@xxx.com
ppp chap password 7 01142D26555A343E244816
crypto map mycryptomap
!
interface BVI1
ip address 10.10.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
!
access-list 1 permit 172.19.194.0 0.0.0.255
access-list 23 permit x.x.x.0 0.0.0.255
access-list 23 permit x.x.x.0 0.0.0.255
access-list 23 permit x.x.x.0 0.0.0.255 log
access-list 23 permit x.x.x.0 0.0.0.255 log
access-list 23 permit x.x.x.0 0.0.0.255
access-list 23 permit 172.19.194.0 0.0.0.255 log
=access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 log
access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 log
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 log
access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 log
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log
access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 log
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 log
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 log
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log
dialer-list 1 protocol ip permit
snmp-server community private RW
snmp-server community public RO
no cdp run
!
!
route-map nonat permit 10
match ip address 105
NOTE: on router Client VPN configuration is present but we are not using
02-21-2011 01:13 AM
OK, so the access-list on the router should say only the following lines:
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255
You will have to clear the tunnel on both sides after modifying the access-list:
clear cry ipsec sa
clear cry isa sa
Also, how are the following subnets connected on the ASA:
172.19.203.0/24
172.19.206.0/24
172.19.209.0/24
Just confirm that there are routes on the ASA for those 3 subnets, and also those 3 subnets knows how to route towards the 172.19.194.0/24 subnet, ie: via the ASA inside interface.
02-21-2011 02:33 AM
I made the access-list as per your advise on cisco router and try after clearing but the result is same.
We have a core switch in LAN and default gateway of core switch default gw is ASA and ASA default GW is internet. So reuired subnets (172.19.203.0/24,172.19.206.0/24,172.19.209.0/24) are connected in same way .
and also below ACL on ASA shows that packt is being matched from LAN ( 172.19.209.0/24 ) subnet for remote LAN
access-list Outside_cryptomap_20_1 line 2 extended permit ip 172.19.209.0 255.255.255.0 172.19.194.0 255.255.255.0 (hitcnt=17)
and from Remote LAN we also found matches ( router )
permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log (11379 matches)
Please advise
Do i need to debug ACLs ?
02-21-2011 03:25 AM
It is not the VPN configuration. VPN config is absolutely correct now.
Please share the output of "show cry ipsec sa". If it is still showing the same result as before, ie: no encrypt on the ASA, then you will need to check the path between the ASA, core switch and the end host, and make sure that nothing is blocked.
Can you please confirm that there is no route in the core switch that might cover 172.19.194.0/24 subnet that might be routed to a different gateway, ie: not the ASA?
Now, you will need to troubleshoot routing, etc, as it is not a VPN configuration issue.
02-21-2011 07:56 AM
Thanks jeniffer again
Routing is very much clear , no specific route for 172.19.194.0/24 in core switch
ASA shows that packets are being encrypted
Still i am unable to ping to the remote site.
Packets are encaps in ASA and DECAPS in router but no result.
Looking for your support.
ASA sh cry ipsec sa
ASA# sh crypto ipsec sa
interface: Outside
Crypto map tag: Outside_map, seq num: 20, local addr: 87.x.x.4
access-list Outside_cryptomap_20_1 permit ip 172.19.209.0 255.255.255.0 17
2.19.194.0 255.255.255.0
local ident (addr/mask/prot/port): (172.19.209.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
current_peer: 78.x.x.41
#pkts encaps: 2178, #pkts encrypt: 2178, #pkts digest: 2178
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2178, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 87.101.181.34, remote crypto endpt.: 78.x.x.41
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 53701EF3
inbound esp sas:
spi: 0xCBCB9B5A (3419118426)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 7, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/2356)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x53701EF3 (1399856883)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 7, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4274986/2313)
IV size: 8 bytes
replay detection support: Y
Router SH cryp ipsec sa
AamalNet#sh crypto ipsec sa
interface: Dialer0
Crypto map tag: mycryptomap, local addr 78.x.x.41
protected vrf: (none)
local ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.19.203.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 78.x.x.41, remote crypto endpt.: 87.x.x.4
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.19.206.0/255.255.255.0/0/0)
current_peer 87.101.181.34 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 78.x.x.41, remote crypto endpt.: 87.x.x.34
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 13801, #pkts decrypt: 13801, #pkts verify: 13801
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 78.x.x.41, remote crypto endpt.: 87.x.x.34
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0xCBCB9B5A(3419118426)
inbound esp sas:
spi: 0x53701EF3(1399856883)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 61, flow_id: Motorola SEC 1.0:61, crypto map: mycryptomap
sa timing: remaining key lifetime (k/sec): (4391344/1604)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCBCB9B5A(3419118426)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 62, flow_id: Motorola SEC 1.0:62, crypto map: mycryptomap
sa timing: remaining key lifetime (k/sec): (4391384/1604)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: mycryptomap, local addr 78.x.x.41
protected vrf: (none)
local ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.19.203.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 78.x.x.41, remote crypto endpt.: 87.x.x.4
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.19.206.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 78..x.x.41, remote crypto endpt.: 87.x.x..34
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 13801, #pkts decrypt: 13801, #pkts verify: 13801
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 78.x.x.41, remote crypto endpt.: 87.x.x.4
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0xCBCB9B5A(3419118426)
inbound esp sas:
spi: 0x53701EF3(1399856883)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 61, flow_id: Motorola SEC 1.0:61, crypto map: mycryptomap
sa timing: remaining key lifetime (k/sec): (4391344/1604)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCBCB9B5A(3419118426)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 62, flow_id: Motorola SEC 1.0:62, crypto map: mycryptomap
sa timing: remaining key lifetime (k/sec): (4391384/1604)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Sh ip route in core switch
Gateway of last resort is 172.19.203.1 to network 0.0.0.0
172.19.0.0/16 is variably subnetted, 16 subnets, 2 masks
S 172.19.217.0/24 [1/0] via 172.19.203.6
C 172.19.215.0/24 is directly connected, Vlan215
C 172.19.214.0/24 is directly connected, Vlan214
C 172.19.213.0/24 is directly connected, Vlan213
C 172.19.211.0/24 is directly connected, Vlan211
C 172.19.210.0/24 is directly connected, Vlan210
C 172.19.209.0/24 is directly connected, Vlan209
C 172.19.208.0/24 is directly connected, Vlan208
C 172.19.207.0/24 is directly connected, Vlan207
C 172.19.206.0/24 is directly connected, Vlan206
C 172.19.203.0/24 is directly connected, Vlan203
S 172.19.193.0/24 [1/0] via 172.19.203.6
S 172.19.124.0/24 [1/0] via 172.19.203.4
S 172.19.110.21/32 [1/0] via 172.19.203.4
S 172.19.106.5/32 [1/0] via 172.19.203.4
S 172.19.110.51/32 [1/0] via 172.19.203.4
S* 0.0.0.0/0 [1/0] via 172.19.203.1
02-21-2011 02:11 PM
Just look at your router config again, and you have the following 2 lines:
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
The first line with ACL 1 is incorrect. You will have to merge the NAT to the second line as follows:
access-list 105 permit ip 172.19.194.0 0.0.0.255 any
Then remove the first line:
no ip nat inside source list 1 interface Dialer0 overload
Then clear the translation:
clear ip nat trans *
VPN tunnel should work after the above changes.
Hope that helps.
02-21-2011 09:46 PM
Jeniffer ,Thanks again,
I have made changes as advised but same issue
We are getting matches on access list 101 but not on access list 105 for 172.19.194.x to 172.19.209.x .
Please advise
sh cry ipsec sa on router is
local ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 13968, #pkts decrypt: 13968, #pkts verify: 13968
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
Access-list on router is now
Extended IP access list 101
10 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 log
30 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 log (4 matches)
50 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log (13995 matches)
Extended IP access list 105
5 permit ip 172.19.194.0 0.0.0.255 any (18585 matches)
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 log
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 log
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log
On ASA
ASA# sh crypto ipsec sa
interface: Outside
Crypto map tag: Outside_map, seq num: 20, local addr: 87.x.x.4
access-list Outside_cryptomap_20_1 permit ip 172.19.209.0 255.255.255.0 172.19.194.0 255.255.255.0
local ident (addr/mask/prot/port): (172.19.209.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
current_peer: 78.x.x.41
#pkts encaps: 139, #pkts encrypt: 139, #pkts digest: 139
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 139, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
02-21-2011 09:50 PM
Your permit statement for ACL 105 needs to be at the bottom so it is last to match as it is the most general ACL.
You currently have:
Extended IP access list 105
5 permit ip 172.19.194.0 0.0.0.255 any (18585 matches)
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 log
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 log
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log
It should be:
Extended IP access list 105
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 log
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 log
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log
60 permit ip 172.19.194.0 0.0.0.255 any (18585 matches)
To remove it and add it to the bottom:
ip access-list extended 105
no 5
60 permit ip 172.19.194.0 0.0.0.255 any
Then "clear ip nat trans *"
and it should work now.
02-21-2011 10:46 PM
Jeniffer,
Thank you very much,
I understand , now problem has been resolved.
Thank you very much for your support and cooperation.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide