topic Re: Dynamic-Static IPSEC between the ASA & Router in Network Security

Dynamic-Static IPSEC between the ASA & Router

jack samuel — Mon, 11 Mar 2019 22:15:28 GMT

Hello,

Core-HQ--------------------ASA-------------ISP---------Branch- Router

192.168.0.0 172.16.0.0

I have a query regarding the interesting traffic of VPN.

Our ASA is on static public IP and the branch router is on dynamic ADSL , when i specify the interesting traffic on ASA i.e

access-list abc extended permit ip 192.168.0.0 255.255.0.0 any ----------- it works the tunnel is up when Branch router initiates a ping to 192.168.0.0 network in HQ but when i change the access-list to

access-list abc extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0 ---------it does'nt works,

Please find the Capture output.

Re: Dynamic-Static IPSEC between the ASA & Router

andrew.prince — Tue, 17 Jan 2012 07:54:15 GMT

This is normal. See the below URL

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

Sent from Cisco Technical Support iPad App

Dynamic-Static IPSEC between the ASA & Router

jack samuel — Tue, 17 Jan 2012 08:08:39 GMT

Hello,

I have the above document, This means interesting traffic should be permited from HQ to anywhere????

, IF suppose i would have 2 branches with VPN and i want to allow the HQ user A to allow access the branch A and not to Branch B.
If suppose i have a user B in HQ and i want to allow him to access the Brach B only

so in this situation what can be done.

Dynamic-Static IPSEC between the ASA & Router

EliasTlou — Tue, 17 Jan 2012 08:57:54 GMT

Hi Jack,

When you change the interesting traffic ACL on the ASA you should do the same on the remote Router.

e.g ASA

access-list abc extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0

Remote Router

access-list abc extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0

Rememeber to put this line on your NO-NAT ACL.

This should work.

Are you using crypto maps or VTI on the router?

Dynamic-Static IPSEC between the ASA & Router

jack samuel — Tue, 17 Jan 2012 11:52:05 GMT

Hello Elias

I have done the above b4 but it does'nt work

Dynamic-Static IPSEC between the ASA & Router

EliasTlou — Tue, 17 Jan 2012 12:00:08 GMT

Hi Jack,

After changinig your interesting traffic ACLs, did you clear the crypto SAs and IPSEC SAs and allowed the tunnel to re-establish with the new settings?

If so, what is the debug saying?

e.g. debug crypto isakmp 10

Check the bebug carefully and see why the tunnel fails to establish.

Dynamic-Static IPSEC between the ASA & Router

ajay chauhan — Tue, 17 Jan 2012 12:06:09 GMT

Hi Jack,

You should post both end configuration. Also after changing these ACL you should do some crypto debug on router to collect the logs.

Thanks

Ajay

Re: Dynamic-Static IPSEC between the ASA & Router

jack samuel — Tue, 17 Jan 2012 19:32:09 GMT

Hello

Now even though the ping is stopped, the phase I and phase II are complete but still the traffic does'nt pass.

Thanks

Re: Dynamic-Static IPSEC between the ASA & Router

EliasTlou — Tue, 17 Jan 2012 19:45:24 GMT

Hi Jack,

Please check your interface access-lists (even though I doubt this could be an issue because the traffic went through the first time), try to inspect icmp, run the captures on the inside interface to see if the traffic gets back, check if sysopt connection permit-VPN is running.

Sent from Cisco Technical Support iPhone App

Re: Dynamic-Static IPSEC between the ASA & Router

jack samuel — Tue, 17 Jan 2012 20:35:39 GMT

Hello,

(even though I doubt this could be an issue because the traffic went through the first time), By watching which line u say this??? Can u highlight the line in my logs please.

Not related to the vpn problem above in general i m asking what these below logs says:

*Jan 18 14:24:34.351: ISAKMP: DPD received KMI message.

*Jan 18 14:24:34.351: ISAKMP: IPSec requested DPD; SA state 0x0 or SA is null. Reinitiating phase 1.

*Jan 18 14:24:34.351: ISAKMP: Locking peer struct 0x47092658, refcount 1 for DPD/create new SA

*Jan 18 14:24:34.351: ISAKMP: local port 500, remote port 500

*Jan 18 14:24:34.351: insert sa successfully sa = 4751DE0C

*Jan 18 14:24:34.351: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Jan 18 14:24:34.351: ISAKMP:(0):found peer pre-shared key matching 192.168.20.1

*Jan 18 14:24:34.351: ISAKMP:(0): Unknown DOI 0

*Jan 18 14:24:34.351: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Jan 18 14:24:34.351: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Jan 18 14:24:34.351: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Jan 18 14:24:34.351: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Jan 18 14:24:34.351: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Jan 18 14:24:34.351: ISAKMP:(0): sending packet to 192.168.20.1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jan 18 14:24:34.355: ISAKMP (0:0): received packet from 192.168.20.1 dport 500 sport 500 Global (I) MM_NO_STATE

*Jan 18 14:24:34.355: ISAKMP:(0):Notify has no hash. Rejected.

*Jan 18 14:24:34.355: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1

*Jan 18 14:24:34.355: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jan 18 14:24:34.355: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1

*Jan 18 14:24:34.355: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 192.168.20.1....

Success rate is 0 percent (0/5)

Thanks

Re: Dynamic-Static IPSEC between the ASA & Router

jack samuel — Tue, 17 Jan 2012 21:51:51 GMT

Now i changed the access-list according to the mirror of router still it doesnt work it gives me the below error.in the debug of ASA

Session is being torn down. Reason: crypto map policy not found

Dynamic-Static IPSEC between the ASA & Router

ajay chauhan — Tue, 17 Jan 2012 22:05:24 GMT

Post your router config as well.

Re: Dynamic-Static IPSEC between the ASA & Router

jack samuel — Tue, 17 Jan 2012 22:10:56 GMT

I have mirrored the traffic and it worked. fine

Thanks all who contribute to give suggestions, i wll rate to all of your'll.