ciscoasa# show run crypto
crypto ipsec transform-set vpn esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside 10 match address vpn
crypto map outside 10 set peer 216.117.40.14
crypto map outside 10 set transform-set vpn
crypto map outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 43200

Hi,

Seems to me that the above configurations are mostly what you are looking for.

You would need to add this however

crypto map outside 10 set pfs group2

To match the Phase2 settings you mentioned in the original post.

You can naturally also add this

crypto map outside 10 set security-association lifetime seconds 28800

- Jouni

Thanks Jouni,

How can this be tested?  I am assuming I should be able to ping that remote peer in config t mode and have that be successful?  Just curious how to test this..

I can't seem to ping the remote peer.. see my other post below for this:

Maybe the static 1:1 NAT isn't configured??  I'm thinking I should be able to ping both 10.1.12.164 and 216.117.40.14.

Remote Peer IP: 216.117.40.14
Remote Network: 192.168.50.0/24, 10.10.3.0/24
Your Local Network: n/a

Interesting Traffic = your single host is trying to talk to our side.

Will need to create a static, 1:1 policy NAT of interesting traffic to host 10.1.12.164

Will need to make an IPSec ACL from host 10.1.12.164 to 192.168.50.0/24
Will need to make an IPSec ACL from host 10.1.12.164 to 10.10.3.0/24

So if the VPN settings are now correct is there a reboot command or clear command to ensure the old stuff is not in memory?  or a command to show this vpn tunnel is successfully up?

Hi,

The remote VPN device does not necesarily reply to ICMP traffic. It might block such traffic from any source IP address.

You can try the "packet-tracer" to initiate the VPN negotiation. You have to choose the source and destination IP address into the command that are supposed to use the L2L VPN connection

packet-tracer input inside tcp <internal source ip> 12345 <destination remote ip> <destination port>

Issue this command twice and see what the VPN Phase of the output say on the second try of issuing the above command. The first "packet-tracer" commands output will always result in a VPN Phase DROP (unless some traffic has already brought up the VPN connection) while the second time you issue the command the L2L VPN connection should already be up.

Notice that if you are doing NAT for your internal IP address you will still use the local/real IP address in the "packet-tracer" command as the source IP.

If you want to easily log off VPN connections you can always log in with the ASDM to the ASA and go to the Monitor / VPN section and list the L2L VPN connections and log off the VPN connection if its listed there.

- Jouni

Yes I had issues ever getting ASDM installed.  My remote machine is a mac and the onsite machines are windows server..  but never really got that app to function.  I'll try the packet-tracer

Hi,

I think the command corresponding to the ASDM log off button is the following

vpn-sessiondb logoff ipaddress <remote peer ip>

- Jouni

ciscoasa# packet-tracer input inside tcp 10.1.12.164 80 216.117.40.14 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: NAT     
Subtype:      
Result: ALLOW
Config:       
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (99.24.60.86 [Interface PAT])
    translate_hits = 4937324, untranslate_hits = 908569
Additional Information:
Dynamic translate 10.1.12.164/80 to 99.24.60.86/42 using netmask 255.255.255.255
              
Phase: 5      
Type: NAT     
Subtype: host-limits
Result: ALLOW
Config:       
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
              
Phase: 6      
Type: HOST-LIMIT
Subtype:      
Result: ALLOW
Config:       
Additional Information:
              
Phase: 7      
Type: IP-OPTIONS
Subtype:      
Result: ALLOW
Config:       
Additional Information:
              
Phase: 8      
Type: FLOW-CREATION
Subtype:      
Result: ALLOW
Config:       
Additional Information:
New flow created with id 6868761, packet dispatched to next module
              
Result:       
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Hi,

You are using the wrong IP addresses. You should use the actual host IP addresses that fit into the ACL used for the L2L VPN. And as I said you will use the real/local IP address as the source.

So it would be something like this for example

packet-tracer input inside tcp 192.168.1.2 12345 192.168.50.100 80

I think the above source IP was listed in some of your other posts. The destination IP address and port are just some that fit the remote network in the L2L VPN configuration.

Remember to issue the "packet-tracer" command twice.

- Jouni

Forgot that.  Here is the output issued back to back:

ciscoasa# packet-tracer input inside tcp 192.168.1.2 12345 192.168.50.100 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: NAT     
Subtype:      
Result: ALLOW
Config:       
static (inside,outside) 10.1.12.164  access-list nat
  match ip inside host 192.168.1.2 outside 192.168.50.0 255.255.255.0
    static translation to 10.1.12.164
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Static translate 192.168.1.2/0 to 10.1.12.164/0 using netmask 255.255.255.255
              
Phase: 5      
Type: NAT     
Subtype: host-limits
Result: ALLOW
Config:       
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
  match tcp inside host 192.168.1.2 eq 3389 outside any
    static translation to 99.24.60.86/3389
    translate_hits = 214, untranslate_hits = 216877
Additional Information:
              
Phase: 6      
Type: HOST-LIMIT
Subtype:      
Result: ALLOW
Config:       
Additional Information:
              
Phase: 7      
Type: VPN     
Subtype: encrypt
Result: DROP  
Config:       
Additional Information:
              
Result:       
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop  
Drop-reason: (acl-drop) Flow is denied by configured rule
              
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# packet-tracer input inside tcp 192.168.1.2 12345 192.168.50.100 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: NAT     
Subtype:      
Result: ALLOW
Config:       
static (inside,outside) 10.1.12.164  access-list nat
  match ip inside host 192.168.1.2 outside 192.168.50.0 255.255.255.0
    static translation to 10.1.12.164
    translate_hits = 2, untranslate_hits = 0
Additional Information:
Static translate 192.168.1.2/0 to 10.1.12.164/0 using netmask 255.255.255.255
              
Phase: 5      
Type: NAT     
Subtype: host-limits
Result: ALLOW
Config:       
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
  match tcp inside host 192.168.1.2 eq 3389 outside any
    static translation to 99.24.60.86/3389
    translate_hits = 214, untranslate_hits = 216877
Additional Information:
              
Phase: 6      
Type: HOST-LIMIT
Subtype:      
Result: ALLOW
Config:       
Additional Information:
              
Phase: 7      
Type: VPN     
Subtype: encrypt
Result: DROP  
Config:       
Additional Information:
              
Result:       
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop  
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

Seems to me that the "packet-tracer" test matches the correct Static Policy NAT rule.

It would seem to suggest that the VPN configurations dont match between this site and the remote site. Or perhaps the remote site has not configured their side yet.

If you issue the same "packet-tracer" command once or twice then issue the command "show crypto isakmp sa" it should show us if the Phase1 goes throuhg. You should see the remote VPN device IP address in the output and if the Phase1 goes through you should be seeing "MM_ACTIVE" listed.

If you can see that then the problem is probably in the Phase2 configurations in the Crypto Map that you can list with "show run crypto map"

- Jouni

ciscoasa# show crypto isakmp sa

There are no isakmp sas
ciscoasa#