Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3010
Views
0
Helpful
4
Replies

ASA 5505 > Windows 2008 R2 site to site tunnel traffic not flowing T20121110.0021

rscadmins
Level 1
Level 1

‎11-10-2012 08:24 PM

Hello all, long time follower first time poster here.

Capture.PNG

I have 2 issues really, but both related:

1: I have an ASA 5505 with a tunnel to the public interface of a Windows Server 2008 R2 box in the cloud using the built in advanced connetion rules. I can get this tunnel to come up by pinging an inside subnet ip from either side. The tunnel will stay up for a while then dissconnect with the error:

Sesson discconected, reason user requested.

So how do I get this tunnel to stay alive? and I have a feeling the answer will depend on the next problem:

2: and probably more importantly -  I'm unable to ping hosts on either side of the tunnel once the tunnel is up. If I use the packet tracer on the ASA it shows that packets to the cloud servers inside subnet get dropped with the error (Deny IP spoof from 192.168.1.1 to 10.180.20.97 on inside), which doesn't seem right to me as the traffic should be treated as inside traffic destine for the VPN tunnel. However if I ping the Windows box from a host behind the ASA, the tunnel comes up, Deny IP spoof isn't seen in the logs, and pings are unsuccesful. And of course I cannot ping the ASA from the windows box either.

Any help would greatly appreciated!

Thanks!

-SyFry

Labels:
0 Helpful
4 Replies 4

pkupisie
Cisco Employee
Cisco Employee

‎11-11-2012 02:43 AM

Hello Matt,

Can you please share some part of your configuration regarding to VPN on ASA?

Crypto map, ACL, interfaces and routing.  You can obviously change the external IPs to something.

Please also attach output of command: show crypto ipsec sa while the tunnel is up. It would be nice to look at encaps/decaps statistics to understand what exactly is going on.

In regards to the spoofing it is really strange. If you could please also paste "show ip route" output. It could be helpfull.

Thanks,

0 Helpful

rscadmins
Level 1
Level 1
In response to pkupisie

‎11-11-2012 09:48 AM

The tunnel group in question is:  tunnel-group 198.xxx.xxx.xxx with crypto Comcast_map 3

Thanks!

Result of the command: "show crypto ipsec sa"

====================================

interface: Comcast

    Crypto map tag: Comcast_map, seq num: 2, local addr: 75.xxx.xxx.xxx

      access-list Comcast_2_cryptomap extended permit ip 172.16.2.0 255.255.255.0 10.20.21.0 255.255.255.0

      local ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.20.21.0/255.255.255.0/0/0)

      current_peer: 38.xxx.xxx.xxx

      #pkts encaps: 2619968, #pkts encrypt: 2619968, #pkts digest: 2619968

      #pkts decaps: 2244120, #pkts decrypt: 2244120, #pkts verify: 2244120

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 2619968, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.xxx.xxx.xxx/0, remote crypto endpt.: 38.xxx.xxx.xxx/0

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 04F45EF6

      current inbound spi : 9563CF60

    inbound esp sas:

      spi: 0x9563CF60 (2506346336)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 1306624, crypto-map: Comcast_map

         sa timing: remaining key lifetime (kB/sec): (4372213/21380)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFE

    outbound esp sas:

      spi: 0x04F45EF6 (83123958)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 1306624, crypto-map: Comcast_map

         sa timing: remaining key lifetime (kB/sec): (4360437/21380)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: Comcast_map, seq num: 1, local addr: 75.xxx.xxx.xxx

      access-list Comcast_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

      current_peer: 173.xxx.xxx.xxx

      #pkts encaps: 3303276, #pkts encrypt: 3303276, #pkts digest: 3303276

      #pkts decaps: 3289933, #pkts decrypt: 3289933, #pkts verify: 3289933

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 3303276, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.xxx.xxx.xxx/0, remote crypto endpt.: 173.xxx.xxx.xxx/0

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 9542874E

      current inbound spi : 20F798ED

    inbound esp sas:

      spi: 0x20F798ED (553097453)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 1708032, crypto-map: Comcast_map

         sa timing: remaining key lifetime (kB/sec): (3835492/14276)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x9542874E (2504165198)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 1708032, crypto-map: Comcast_map

         sa timing: remaining key lifetime (kB/sec): (3773350/14276)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: Comcast_map, seq num: 3, local addr: 75.xxx.xxx.xxx

      access-list Comcast_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.180.20.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.180.20.0/255.255.255.0/0/0)

      current_peer: 198.xxx.xxx.xxx

      #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.xxx.xxx.xxx/0, remote crypto endpt.: 198.xxx.xxx.xxx/0

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: F708014A

      current inbound spi : E093AC6B

    inbound esp sas:

      spi: 0xE093AC6B (3767774315)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 1875968, crypto-map: Comcast_map

         sa timing: remaining key lifetime (kB/sec): (3915000/28786)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0xF708014A (4144496970)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 1875968, crypto-map: Comcast_map

         sa timing: remaining key lifetime (kB/sec): (3914999/28786)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

==================================

sh run:

==============================

ASA Version 8.3(2)

!

hostname fwhq01

domain-name

enable password

passwd

no names

name 70.xxx.xxx.xxx Vsync_Home

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif TowerStream

security-level 0

ip address 69.xxx.xxx.xxx 255.255.255.240

!

interface Vlan3

nameif Comcast

security-level 0

ip address 75.xxx.xxx.xxx 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport monitor Ethernet0/2

!

boot system disk0:/asa832-k8.bin

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.1.27

name-server 192.168.1.22

domain-name domain.local

object network GPTERMSERV.office.domain.local

host 192.168.1.29

description Publicly acesssible Term Serv for GP and POS      

object network kim.office.domain.local

host 192.168.1.250

description FogBugz (Still Needed? 19-Oct-2010)      

object network ANIMAL.office.domain.local

host 192.168.1.41

object network T2SRVTS01.office.domain.local

host 192.168.1.23

description Terminal Server for Internal Use      

object network FTP.domain.local

host 192.168.1.49

object network T2SRVECOM01.office.domain.local

host 192.168.1.21

description Ecom Server      

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

object network NETWORK_OBJ_192.168.1.224_27

subnet 192.168.1.224 255.255.255.224

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.2.0_24

subnet 192.168.2.0 255.255.255.0

object network T2SRVGENTRAN01.office.domain.local

host 192.168.1.25

object network T2SRVGPDBTEST02.office.domain.local

host 192.168.1.26

object network T2SRVGPDB01.office.domain.local

host 192.168.1.46

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network T2SRVGPDB02.office.domain.local

host 192.168.1.28

description GP DB Test   

object network wwwtest.domain.local

host 192.168.1.42

object network prodealtest.domain.local

host 192.168.1.43

object network admintest.domain.local

host 192.168.1.45

object network NETWORK_OBJ_172.16.2.0_24

subnet 172.16.2.0 255.255.255.0

object network obj-192.168.1.1

subnet 192.168.1.0 255.255.255.0

object network obj-172.16.2.1

host 172.16.2.1

object network obj-10.20.21.1

subnet 10.20.21.0 255.255.255.0

object network obj-172.16.2.0

subnet 172.16.2.0 255.255.255.0

object network michaellmv1320

host 192.168.1.166

description temp_rule  

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network T2.Access.CloudServer

host 10.180.20.97

object network t2.CloudServerSubnet

subnet 10.180.20.0 255.255.255.0

object-group service Animal tcp

description Connections to Animal

port-object eq www

port-object eq https

port-object eq ssh

object-group service FTPPASSV tcp

description Passive Mode for FTP  SErver

port-object range 40050 40100

object-group service Terminal_Service tcp

description Terminal Services

port-object eq 3389

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_3 tcp

group-object FTPPASSV

port-object eq ftp

port-object eq ftp-data

object-group network DM_INLINE_NETWORK_2

network-object host 69.xxx.xxx.xxx

network-object host 69.xxx.xxx.xxx

object-group network DM_INLINE_NETWORK_3

network-object object NETWORK_OBJ_192.168.1.0_24

network-object object NETWORK_OBJ_192.168.2.0_24

object-group service DM_INLINE_TCP_4 tcp

group-object Terminal_Service

port-object eq www

port-object eq https

object-group service Torrent tcp

description q

port-object range 6881 6889

object-group service DM_INLINE_TCP_1 tcp

group-object Terminal_Service

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_4

network-object host 24.xxx.xxx.xxx

network-object 68.xxx.xxx.xxx 255.255.255.0

network-object 70.xxx.xxx.xxx 255.255.255.0

network-object host 64.xxx.xxx.xxx

network-object host 64.xxx.xxx.xxx

object-group network DM_INLINE_NETWORK_1

network-object 192.168.1.0 255.255.255.0

network-object 192.168.2.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object tcp-udp destination eq www

service-object tcp destination eq https

service-object tcp destination eq ssh

object-group service DM_INLINE_SERVICE_2

service-object tcp-udp destination eq www

service-object tcp destination eq https

service-object tcp destination eq ssh

object-group service DM_INLINE_SERVICE_3

service-object tcp-udp destination eq www

service-object tcp destination eq https

service-object tcp destination eq ssh

object-group service 61001 tcp-udp

description 61001

port-object eq 61001

access-list inside_access_in extended deny tcp any any object-group Torrent

access-list inside_access_in extended permit ip any any

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object t2.CloudServerSubnet

access-list inside_nat0_outbound extended permit ip object t2.CloudServerSubnet 192.168.1.0 255.255.255.0

access-list sfoffice_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list sfoffice_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list Comcast_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list TowerStream_outside_access_in extended permit tcp any object GPTERMSERV.office.domain.local object-group Terminal_Service

access-list TowerStream_outside_access_in extended permit tcp any object kim.office.domain.local object-group DM_INLINE_TCP_2

access-list TowerStream_outside_access_in extended permit icmp any any

access-list TowerStream_outside_access_in extended permit tcp 68.xxx.xxx.xxx 255.255.255.0 host 192.168.1.16 object-group Terminal_Service

access-list Comcast_access_in extended permit tcp any object T2SRVGPDB02.office.domain.local object-group Terminal_Service

access-list Comcast_access_in extended permit tcp any object T2SRVGPDB01.office.domain.local object-group Terminal_Service

access-list Comcast_access_in extended permit tcp any object T2SRVGPDBTEST02.office.domain.local object-group Terminal_Service

access-list Comcast_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 object T2SRVGENTRAN01.office.domain.local object-group Terminal_Service

access-list Comcast_access_in remark Public FTP Server

access-list Comcast_access_in extended permit tcp any object FTP.domain.local object-group DM_INLINE_TCP_3

access-list Comcast_access_in extended permit tcp any object T2SRVECOM01.office.domain.local object-group DM_INLINE_TCP_1

access-list Comcast_access_in extended permit tcp any object ANIMAL.office.domain.local object-group Animal

access-list Comcast_access_in remark New Terminal Server to Replace GPTERMSERV and T2FILE

access-list Comcast_access_in extended permit tcp any object T2SRVTS01.office.domain.local object-group DM_INLINE_TCP_4

access-list Comcast_access_in extended permit icmp any any

access-list Comcast_access_in extended permit object-group DM_INLINE_SERVICE_1 any object wwwtest.domain.local

access-list Comcast_access_in extended permit object-group DM_INLINE_SERVICE_2 any object admintest.domain.local

access-list Comcast_access_in extended permit object-group DM_INLINE_SERVICE_3 any object prodealtest.domain.local

access-list Comcast_access_in extended permit ip host 38.xxx.xxx.xxx interface Comcast

access-list Comcast_access_in extended deny ip any any

access-list HQ_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list HQ_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list Comcast_2_cryptomap extended permit ip object obj-172.16.2.0 object obj-10.20.21.1

access-list netflow-export extended permit ip any any

access-list global_mpc extended permit ip any any

access-list Comcast_3_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object t2.CloudServerSubnet

pager lines 24

logging enable

logging buffer-size 12024

logging asdm warnings

logging class vpn buffered notifications

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export destination Comcast 38.xxx.xxx.xxx 2055

flow-export template timeout-rate 1

flow-export delay flow-create 60

mtu inside 1500

mtu TowerStream 1500

mtu Comcast 1500

ip local pool SFOfficeVPN 192.168.1.236-192.168.1.245 mask 255.255.255.0

ip local pool SSL-VPN-POOL 10.200.200.100-10.200.200.150 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any TowerStream

icmp permit any Comcast

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

nat (inside,TowerStream) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24

nat (inside,TowerStream) source static any any destination static NETWORK_OBJ_192.168.1.224_27 NETWORK_OBJ_192.168.1.224_27

nat (inside,Comcast) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static NETWORK_OBJ_192.168.1.224_27 NETWORK_OBJ_192.168.1.224_27

nat (inside,Comcast) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24

nat (inside,Comcast) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24

nat (inside,Comcast) source static obj-192.168.1.1 obj-172.16.2.0 destination static obj-10.20.21.1 obj-10.20.21.1

nat (inside,Comcast) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static obj-10.20.21.1 obj-10.20.21.1

nat (inside,Comcast) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static t2.CloudServerSubnet t2.CloudServerSubnet

!

object network GPTERMSERV.office.domain.local

nat (inside,TowerStream) static 69.xxx.xxx.xxx

object network kim.office.domain.local

nat (inside,TowerStream) static 69.xxx.xxx.xxx

object network ANIMAL.office.domain.local

nat (inside,Comcast) static 75.xxx.xxx.xxx

object network T2SRVTS01.office.domain.local

nat (inside,Comcast) static 75.xxx.xxx.xxx

object network FTP.domain.local

nat (inside,Comcast) static 75.xxx.xxx.xxx

object network T2SRVECOM01.office.domain.local

nat (inside,Comcast) static 75.xxx.xxx.xxx

object network obj_any

nat (inside,Comcast) dynamic interface

object network T2SRVGENTRAN01.office.domain.local

nat (inside,Comcast) static 75.xxx.xxx.xxx

object network T2SRVGPDBTEST02.office.domain.local

nat (inside,Comcast) static 75.xxx.xxx.xxx

object network T2SRVGPDB01.office.domain.local

nat (inside,Comcast) static 75.xxx.xxx.xxx

object network T2SRVGPDB02.office.domain.local

nat (inside,Comcast) static 75.xxx.xxx.xxx

object network wwwtest.domain.local

nat (inside,Comcast) static 75.xxx.xxx.xxx

object network prodealtest.domain.local

nat (inside,Comcast) static 75.xxx.xxx.xxx

object network admintest.domain.local

nat (inside,Comcast) static 75.xxx.xxx.xxx

object network obj-192.168.1.0

nat (inside,TowerStream) dynamic interface

access-group inside_access_in in interface inside

access-group TowerStream_outside_access_in in interface TowerStream

access-group Comcast_access_in in interface Comcast

route Comcast 0.0.0.0 0.0.0.0 75.xxx.xxx.xxx 1 track 123

route TowerStream 0.0.0.0 0.0.0.0 69.xxx.xxx.xxx 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server OFFICE_DOMAIN protocol nt

aaa-server OFFICE_DOMAIN (inside) host 192.168.1.22

nt-auth-domain-controller VDC2

aaa-server OFFICE_DOMAIN (inside) host 192.168.1.27

nt-auth-domain-controller VDC4

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 38.xxx.xxx.xxx 255.255.255.255 Comcast

http 0.0.0.0 0.0.0.0 inside

snmp-server host Comcast 38.xxx.xxx.xxx community ***** version 2c

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps syslog

sla monitor 1

type echo protocol ipIcmpEcho 4.2.2.1 interface Comcast

sla monitor schedule 1 life forever start-time now

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 1 set pfs group1

crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 1 set reverse-route

crypto dynamic-map outside_dyn_map 2 set pfs

crypto dynamic-map outside_dyn_map 2 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 22 set transform-set ESP-3DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface TowerStream

crypto map Comcast_map 1 match address Comcast_1_cryptomap

crypto map Comcast_map 1 set pfs group1

crypto map Comcast_map 1 set peer 173.xxx.xxx.xxx

crypto map Comcast_map 1 set transform-set ESP-3DES-SHA

crypto map Comcast_map 2 match address Comcast_2_cryptomap

crypto map Comcast_map 2 set pfs group1

crypto map Comcast_map 2 set peer 38.xxx.xxx.xxx

crypto map Comcast_map 2 set transform-set ESP-3DES-SHA

crypto map Comcast_map 3 match address Comcast_3_cryptomap

crypto map Comcast_map 3 set pfs group1

crypto map Comcast_map 3 set peer 198.xxx.xxx.xxx

crypto map Comcast_map 3 set transform-set ESP-3DES-SHA

crypto map Comcast_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Comcast_map interface Comcast

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto ca server

shutdown

cdp-url http://ciscoasa.office.domain.local/+CSCOCA+/asa_ca.crl

issuer-name CN=ciscoasa.office.domain.local

smtp from-address admin@ciscoasa.office.domain.local

crypto isakmp enable Comcast

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash md5

group 5

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash md5

group 5

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

!

track 123 rtr 1 reachability

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 15

ssh 0.0.0.0 0.0.0.0 inside

ssh 38.xxx.xxx.xxx 255.255.255.255 Comcast

ssh timeout 30

console timeout 0

management-access inside

dhcpd auto_config TowerStream

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port number-of-rate 3

threat-detection statistics protocol number-of-rate 3

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 129.6.15.29 source TowerStream prefer

ntp server 129.6.15.28 source TowerStream prefer

webvpn

enable TowerStream

enable Comcast

svc image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 1

svc image disk0:/anyconnect-win-3.1.00495-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 192.168.1.22 192.168.1.27

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value office.domain.local

group-policy sfoffice internal

group-policy sfoffice attributes

wins-server none

dns-server value 192.168.1.22 192.168.1.27

vpn-tunnel-protocol IPSec l2tp-ipsec svc

password-storage enable

ip-comp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value sfoffice_splitTunnelAcl

default-domain value office.domain.local

split-dns value office.domain.local

ipv6-address-pools none

client-firewall none

client-access-rule none

group-policy T2SSL-VPN internal

group-policy T2SSL-VPN attributes

dns-server value 192.168.1.22 192.168.1.27

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value sfoffice_splitTunnelAcl

default-domain value office.domain.local

split-dns none

ipv6-address-pools none

username rscadmin password ************* encrypted privilege 15

username asaadmin password ************* encrypted privilege 15

username timbuk2vpn password ************* encrypted

tunnel-group sfoffice type remote-access

tunnel-group sfoffice general-attributes

address-pool (inside) SFOfficeVPN

address-pool SFOfficeVPN

authentication-server-group OFFICE_DOMAIN

authentication-server-group (inside) OFFICE_DOMAIN

default-group-policy sfoffice

tunnel-group sfoffice ipsec-attributes

pre-shared-key *****

tunnel-group 173.xxx.xxx.xxx type ipsec-l2l

tunnel-group 173.xxx.xxx.xxx ipsec-attributes

pre-shared-key *****

tunnel-group T2SSL-VPN type remote-access

tunnel-group T2SSL-VPN general-attributes

address-pool SFOfficeVPN

authentication-server-group OFFICE_DOMAIN

default-group-policy T2SSL-VPN

tunnel-group T2SSL-VPN webvpn-attributes

group-alias T2SSL-VPN enable

group-url https://75.xxx.xxx.xxx/T2SSL-VPN enable

tunnel-group 38.xxx.xxx.xxx type ipsec-l2l

tunnel-group 38.xxx.xxx.xxx ipsec-attributes

pre-shared-key *****

tunnel-group 198.xxx.xxx.xxx type ipsec-l2l

tunnel-group 198.xxx.xxx.xxx ipsec-attributes

pre-shared-key *****

!

class-map netflow-export-class

match access-list netflow-export

class-map global-class

match access-list global_mpc

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

class global-class

  flow-export event-type all destination 38.xxx.xxx.xxx

policy-map netflow-export-policy

class netflow-export-class

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:12229078ab8a987943f7b398d5e5a5ca

: end

=====================

0 Helpful

pkupisie
Cisco Employee
Cisco Employee
In response to rscadmins

‎11-11-2012 12:41 PM

Thanks Matt,

From the first glance your configuration seem ok, you have even identity nat for that traffic.

With the packet-tracer problem was that you were using ASA inside interface in it. You should use any other IP from 192.168.1.0/24 network. Anyway we can some encapsulations in that particular tunnel.

I would do the following

1) Verify with packet tracer that there is nothing wrong and packet is going through VPN encrpt step (99% it will)

2) Check what is going on on the second side (Windows). Can you see the packet transmitted by ASA on that machine? If yes what is happening with the response packet. For the moment we see 3 encaps, 0 decaps meaning that most probably no packets are received on ASA.

3) Captures of ESP traffic on outside interfaces of ASA and Windows can be good to use if you are sure that packets are being sent from each of the peer, but not received on other side.

0 Helpful

rscadmins
Level 1
Level 1
In response to pkupisie

‎11-15-2012 05:08 PM

So i'm almost positive that its on the Windows side that keeping this from working.

The above are the result of trying to ping either side(from both sides), but if I run a tracert from the windows side I start to see packets coming across (below).

the tunnel shows as up, on both side, and traffic is being sent from the ASA to the Windows server, but not really coming back from the Windows server. Then on the Windows server, it shows the tunnel up as well.

Here is my Windows Tunnel:

netsh advfirewall consec add rule name="T2HQTUNNEL" enable=yes mode=tunnel

localtunnelendpoint=198.xxx.xxx.xxx remotetunnelendpoint=75.xxx.xxx.xxx endpoint1=10.180.20.0/24

endpoint2=192.168.1.0/24 action=requireinrequireout auth1=computerpsk auth1psk="************"

qmsecmethods=esp:sha1-3des qmpfs=dhgroup1 exemptipsecprotectedconnections=yes

What am I missing on the Windows side?

0 Helpful
Customers Also Viewed These Support Documents