02-03-2011 03:54 AM - edited 03-11-2019 12:44 PM
Dear All,
I have ASA 5505 with base license and IOS version is 7.2(4). I configured both site to site vpn and Remote Access VPN. Site to Site VPN is working fine and also Remote access vpn tunnel came up, remote user got IP address from the firewall.
But the problem is remote user unable to ping the local users.
While watcing the logs it shows: " IKE initiator unable to find the policy: Src "
Below i am attaching the configuration.....
Your response is appreciated.......
Regards,
Janardhan
02-03-2011 05:20 AM
Hi,
Looking at the configuration, you're having a split-tunneling ACL called RAVPN_splitTunnelAcl
But that ACL is not defined in the configuration
You can go ahead and add:
access-list RAVPN_splitTunnelAcl permit 192.168.8.0 255.255.255.0
Also another recommendation is not to use the same subnet range for the VPN pool that the local network.
A good test I like to use is to add management-access inside and try to PING the inside IP of the ASA from the VPN client.
After this, check the output of sh cry ips sa to check for packets encrypted/decrypted.
Federico.
02-03-2011 06:22 AM
Hi Federic,
Thanks for you response.....
I done what to said, but still the problem is same.
Site to Site VPN working fine and Remote Access VPN came up. But remote user unable to ping the local n/w.
Configured below statements:
ip local pool RPOOL 10.10.10.1-10.10.10.10 mask 255.255.255.0
access-list RAVPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.10.10.0 255.255.255.0
management-access inside
for your reference i am attaching configuration and output of the sh cry ipsec sa command.
Regards,
Janardhan
02-03-2011 07:10 AM
Do this:
no access-list RAVPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list RAVPN_splitTunnelAcl standard permit 192.168.8.0 255.255.255.0
Clear the SA:
clear cry isa sa
clear cry ips sa
Then try to PING 192.168.8.200 from the VPN client.
Federico.
02-03-2011 08:09 AM
HI Federic,
Thanks for reply.....
I done what you said.
But still having the same problem....
Regards,
Janardhan
On Thu, Feb 3, 2011 at 7:10 AM, coto.fusionet <
02-03-2011 08:15 AM
Ok but did you try to PING 192.168.8.200 from the VPN client?
If the PING is succesful, we are almost there ;p
If the PING is unsuccesful, check on the VPN client under statistics, if packets are being encrypted.
As well check the show crypto ipse sa if packets are being decrypted.
Federico.
02-03-2011 07:01 PM
Hi Federico,
Ping is not successful....
But in firewall showing packets are decrypted.....
Regards,
Janardhan
On Thu, Feb 3, 2011 at 9:45 PM, coto.fusionet <
02-03-2011 09:45 PM
Hi Federic,
This is the error log while i am pinging from the client.
3 Feb 03 2011 22:08:03 713042 IKE Initiator unable to find policy: Intf
outside, Src: 192.168.8.200, Dst: 10.10.10.1
Regards,
Janardhan
02-03-2011 11:18 PM
02-03-2011 11:35 PM
02-04-2011 01:55 AM
Hi Federic,
Is there any update...
Regards,
Janardhan
02-04-2011 07:43 PM
Janardhan,
There's VPN traffic flowing fine between 192.168.0.0/22 and 192.168.8.0/24
Could you post your updated configuration?
Federico.
02-04-2011 08:21 PM
Hi Federic,
Thanks your support all the time with patience...
Below is the updated configuration.....
: Saved
:
ASA Version 7.2(4)
!
hostname KHARKANA
domain-name default.domain.invalid
enable password mwHq/3jt1S2xX9nS encrypted
passwd JbFSGGm/y7i8EPBL encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.8.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.0
!
interface Vlan200
no nameif
no security-level
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list 100 extended permit ip any any
access-list 100 extended permit tcp any any
access-list 100 extended permit udp any any
access-list 100 extended permit icmp any any
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 192.168.0.0
255.2 55.252.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.10.10.0
255.25 5.255.0
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any any
access-list 101 extended permit udp any any
access-list RAVPN_splitTunnelAcl standard permit 192.168.8.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RPOOL 10.10.10.1-10.10.10.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.8.104 https netmask
255.255. 255.255
static (inside,outside) tcp interface 81 192.168.8.220 81 netmask
255.255.255.25 5
static (inside,outside) tcp interface ftp-data 192.168.8.170 ftp-data
netmask 25 5.255.255.255
static (inside,outside) tcp interface 8002 192.168.8.170 8002 netmask
255.255.25 5.255
static (inside,outside) tcp interface 8003 192.168.8.170 8003 netmask
255.255.25 5.255
static (inside,outside) tcp interface ftp 192.168.8.170 ftp netmask
255.255.255. 255
static (inside,outside) tcp interface telnet 192.168.8.170 telnet netmask
255.25 5.255.255
static (inside,outside) tcp interface 8080 192.168.8.170 8080 netmask
255.255.25 5.255
static (inside,outside) tcp interface www 192.168.8.104 www netmask
255.255.255. 255
access-group 100 in interface inside
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set FirstSet
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map abcmap 1 match address nonat
crypto map abcmap 1 set peer 182.72.240.158
crypto map abcmap 1 set transform-set FirstSet
crypto map abcmap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map abcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.8.2-192.168.8.129 inside
dhcpd enable inside
!
group-policy RAVPN internal
group-policy RAVPN attributes
banner value UNAUTHORIZED USERS ARE STRICTLY PROHIBITED- POWERED BY NIPUN
NET S OLUTIONS
dns-server value X.X.X.X X.X.X.X
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_splitTunnelAcl
username test1 password Kg/Rgy23do7gPGTv encrypted
username test1 attributes
vpn-group-policy RAVPN
username test password P4ttSyrm33SV8TYp encrypted
username lucid password /HXEx0mtSZZd.DrB encrypted
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group RAVPN type ipsec-ra
tunnel-group RAVPN general-attributes
address-pool RPOOL
default-group-policy RAVPN
tunnel-group RAVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map testmap
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8f59afb70deaac55290ddef58961445a
: end
Regards,
Janardhan
On Sat, Feb 5, 2011 at 9:13 AM, coto.fusionet <
02-05-2011 03:46 AM
Hi Federic,
Finally i got the result..
Below is the configuration i modified..
access-list crypto_one extended permit ip 192.168.8.0 255.255.255.0
192.168.0.0 255.255.252.0
Then change :-
crypto map abcmap 1 match address nonat
crypto map abcmap 1 set peer X.X.X.X
crypto map abcmap 1 set transform-set FirstSet
to :-
crypto map abcmap 1 match address crypto_one
crypto map abcmap 1 set peer X.X.X.X
crypto map abcmap 1 set transform-set FirstSet
Now both VPNs are working fine..
Thanks for yoour support..
Regards,
Janardhan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: