Re: Question about Cisco ASA 5520 VPN

jamesgonzo · ‎04-09-2008

Hi,

I have managed to complete phase 1 and phase 2 of the VPN from the ASA 5520 to the remote office which is a Cisco 877 DSL router.

Now here is the difficult part to explain:

Is seems that if I ping servers from the remote office to servers on the inside of the ASA they won't reply, but if I reverse this and I send a ping from one of the servers on the ASA's inside to the remote network it will time-out (on one line) then come up and then both sides can ping. It's as if the ASA/server side can start the communication only which is not right, I want both sides to be able to do this.

I then notice on the ASA 5520 that I will have 1 IKE tunnel and 1 IPSec tunnels, and these IPsec tunnels will increase if I ping from another server to the remote network, is the right?

I pinged the remote network from 4 servers and it went:

1 IKE Tunnel 1 IPSec Tunnel

1 IKE Tunnel 2 IPSec Tunnel

1 IKE Tunnel 3 IPSec Tunnel

1 IKE Tunnel 4 IPSec Tunnel

If I ping from another server not yet used it will be:

1 IKE Tunnel 5 IPSec Tunnel

I thought 1 IEK and 1 IPSec tunnel would support all communication.

aansatosorigin · ‎04-09-2008

Hi James,

Can you provide us the ASA configuration,or if possible, the router site also.So we can definitely assist you further.

jamesgonzo · ‎04-09-2008

Here is the 877 config, but the ASA's config is so big which parts are just can have posted here, we the crypto part be enough?

aansatosorigin · ‎04-09-2008

Hi James,

Please provide me:

a) NAT - global, inside, outside

b) route - static and default

c) all crypto parts

jamesgonzo · ‎04-09-2008

Here it is:

nat-control

global (outside) 1 interface

nat (outside) 1 192.168.7.0 255.255.255.0

nat (outside) 1 192.168.8.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

sysopt noproxyarp inside

sysopt noproxyarp DMZ1_Web_Servers

service resetoutside

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 82.149.110.103

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

tunnel-group 81.x.x.103 type ipsec-l2l

tunnel-group 81.x.x.103 ipsec-attributes

pre-shared-key 123456789

!

class-map inspection_default

match default-inspection-traffic

route outside 172.19.15.0 255.255.255.0 Internet_Router 1

access-list inside_access_in extended permit ip any 172.19.15.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip any 172.19.15.0 255.255.255.0

smitty6504 · ‎04-09-2008

You need to have a nat exemption on the outside interface. Add this to your config and it should fix the issue:

access-list inside_outbound_nat0_acl permit ip 192.168.7.0 255.255.255.0 172.19.15.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.8.0 255.255.255.0 172.19.15.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 172.19.15.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 172.19.15.0 255.255.255.0 192.168.8.0 255.255.255.0

nat (outside) 0 inside_outbound_nat0_acl

jamesgonzo · ‎04-09-2008

What does nat (outside) 0 inside_outbound_nat0_acl do?

Also: 192.168.7.0 and 192.168.8.0 are other VPn networks not internal, my internal lAN is 192.168.21.0 and 192.168.20.0 should these be added?

I will try this.

smitty6504 · ‎04-09-2008

It is a nat exemption so that outside addresses no not get nat'ed when they are headed for your network. You have a nat 0 on your inside that says permit any to 172.19.15.0.

Traffic from your remote office was not being nat'ed when going to 172.19.15.0. Now we use the same ACL, add the lines that showed you and apply it to the outside, so when traffic from 172.19.15.0 is going to 192.168.7.0 and 192.168.8.0 it is not nat'ed.

jamesgonzo · ‎04-09-2008

Hi,

I added nat (outside) 0 access-list inside_outbound_nat0_acl and all my inside nat rules were copied to the outside is this right?

I failed to mentions these static Nat's too, does this matter?

static (inside,outside) 80.171.16.67 VO09 netmask 255.255.255.255

static (DMZ1,outside) 80.171.16.68 A-SERVER netmask 255.255.255.255

static (DMZ1,outside) 80.171.16.72 p_server netmask 255.255.255.255

static (DMZ1,outside) logger logger netmask 255.255.255.255

static (DMZ1,outside) 80.171.16.78 PRS netmask 255.255.255.255

static (DMZ1,outside) 80.171.16.84 Videocom netmask 255.255.255.255

static (DMZ1,outside) 80.171.16.94 Top netmask 255.255.255.255

static (DMZ1,outside) 80.171.16.74 LCD netmask 255.255.255.255

static (DMZ1,outside) 80.171.16.93 bottom netmask 255.255.255.255

static (DMZ1,outside) 80.171.16.79 Player2 netmask 255.255.255.255

static (DMZ1,outside) 80.171.16.80 Player1 netmask 255.255.255.255

static (DMZ2,outside) Dial-up Dial-up netmask 255.255.0.0

static (inside,DMZ2) 128.101.10.4 SV6 netmask 255.255.255.255

static (inside,outside) 80.171.16.92 Xe_7245_ netmask 255.255.255.255

static (inside,DMZ4) SV02 SV02 netmask 255.255.255.255

static (inside,DMZ4) VO005 VO005 netmask 255.255.255.255

static (inside,outside) 80.171.16.77 SV06 netmask 255.255.255.255

static (inside,DMZ1) MOrver MOrver netmask 255.255.255.255

static (inside,DMZ2) MOrver MOrver netmask 255.255.255.255

static (inside,DMZ1) VO1 VO1 netmask 255.255.255.255

static (inside,DMZ1) Andr Andr netmask 255.255.255.255

static (inside,outside) 80.171.16.88 SV10 netmask 255.255.255.255

static (DMZ1,outside) 80.171.16.89 Uafits netmask 255.255.255.255

jamesgonzo · ‎04-09-2008

i have run:

debug crypto ipsec 127

debug crypto isakmp 127

remote office = IP 1.2.3.4

Apr 09 16:43:43 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Removing peer from correlator table failed, no match!

Apr 09 16:43:43 [IKEv1 DECODE]: IP = 1.2.3.4, IKE Responder starting QM: msg id = e46b66a3

Apr 09 16:43:43 [IKEv1]: IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=e46b66a3) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172

Apr 09 16:43:43 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, processing hash payload

Apr 09 16:43:43 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, processing SA payload

Apr 09 16:43:43 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, processing nonce payload

Apr 09 16:43:43 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, processing ID payload

Apr 09 16:43:43 [IKEv1 DECODE]: Group = 1.2.3.4, IP = 1.2.3.4, ID_IPV4_ADDR_SUBNET ID received--172.19.15.0--255.255.255.0

Apr 09 16:43:43 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Received remote IP Proxy Subnet data in ID Payload: Address 172.19.15.0, Mask 255.255.255.0, Protocol 0, Port 0

Apr 09 16:43:43 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, processing ID payload

Apr 09 16:43:43 [IKEv1 DECODE]: Group = 1.2.3.4, IP = 1.2.3.4, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0

Apr 09 16:43:43 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

Apr 09 16:43:43 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, QM IsRekeyed old sa not found by addr

Apr 09 16:43:43 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Static Crypto Map check, checking map = outside_map, seq = 1...

Apr 09 16:43:43 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:172.19.15.0 dst:0.0.0.0

Apr 09 16:43:43 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP

Apr 09 16:43:43 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, processing IPSec SA payload

Apr 09 16:43:43 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, All IPSec SA proposals found unacceptable!

Apr 09 16:43:43 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, sending notify message

Apr 09 16:43:43 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing blank hash payload

Apr 09 16:43:43 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing ipsec notify payload for msg id e46b66a3

Apr 09 16:43:43 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing qm hash payload

Apr 09 16:43:43 [IKEv1]: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=920f1396) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Apr 09 16:43:43 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, QM FSM error (P2 struct &0xc94c2f88, mess id 0xe46b66a3)!

Apr 09 16:43:43 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, IKE QM Responder FSM error history (struct &0xc94c2f88) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH

Apr 09 16:43:43 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, sending delete/delete with reason message

Apr 09 16:43:43 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Removing peer from correlator table failed, no match!

smitty6504 · ‎04-09-2008

Can you post the config from the router.

jamesgonzo · ‎04-09-2008

Hi Smitty,

The config is attached up the top of this forum post.

also should I have some "access-list encrypt-acl extended permit ip" in my config somewhere?