cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

5339
Views
0
Helpful
9
Replies
Beginner

Cisco ASA 5510 VPN Site to Site IKE Initiator Unable to find policy

Hi

I have a dynamic VPN site to site between ASA 5510 vs C880 with segment 172.23.191.0/25 for ASA side and some host in C880 side (e.g. 128.1.100.211, 128.1.115.181, 128.1.104.212) . The VPN is up, but only have communication with a host (128.1.115.181).

The Cisco ASA 5510 have an IP Static 201.XXX.XX.XXX

The C880 have a dinamyc IP 189.YYY.YYY.YYY

This is the crypto ipsec and crypto iskamp output:

--------------------------------FOR ASA---------------------------------------------------------------------

vpncsr# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 189.XXX.XXX.XXX
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_ACTIVE

vpncsr# sh crypto ipsec sa
interface: outside
    Crypto map tag: temsavpn, seq num: 4, local addr: 201.XXX.XX.XXX

      access-list outside_cryptomap_3 permit ip 172.23.191.0 255.255.255.128 host 128.1.115.181
      local ident (addr/mask/prot/port): (172.23.191.0/255.255.255.128/0/0)
      remote ident (addr/mask/prot/port): (128.1.115.181/255.255.255.255/0/0)
      current_peer: 189.YYY.YYY.YYY

      #pkts encaps: 1294, #pkts encrypt: 1294, #pkts digest: 1294
      #pkts decaps: 2181, #pkts decrypt: 2181, #pkts verify: 2181
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1294, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 20
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 201.XXX.XX.XXX, remote crypto endpt.: 189.YYY.YYY.YYY

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: C4DEC826

    inbound esp sas:
      spi: 0x3F198817 (1058637847)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }

-----------------------------------------------------------------------------------------------------------------------

----------------------------------------------- FOR C880---------------------------------------------

protected vrf: (none)
   local  ident (addr/mask/prot/port): (128.1.115.181/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.23.191.0/255.255.255.128/0/0)
   current_peer 201.XXX.XX.XXX port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 281592, #pkts encrypt: 281592, #pkts digest: 281592
    #pkts decaps: 241581, #pkts decrypt: 241581, #pkts verify: 241581
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 950, #recv errors 0

     local crypto endpt.: 189.YYY.YYY.YYY, remote crypto endpt.: 201.XXX.XX.XXX     inbound ah sas:

     inbound pcp sas:
path mtu 1490, ip mtu 1490, ip mtu idb Dialer1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

K_Fibers#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

201.XXX.XX.XXX  189.YYY.YYY.YYY QM_IDLE           2184 ACTIVE

---------------------------------------------------------------------------------------------------------------------------------------

In the logs appears the next message when I try communication for all aother IP in the policy map configuration:

IKE Initioator unable to find policy: Intf Inside, Src: 172.23.191.87, Dst: 128.1.115.182

ONLY WHEN I PINGING FROM SOME HOST IN C880 SIDE (e.g. 128.1.100.211) the communication is successfull.

¿What happen with this VPN, because I need to pinging from C880 IP host to ASA segment for establish communication?

9 REPLIES 9

Cisco ASA 5510 VPN Site to Site IKE Initiator Unable to find pol

Hello Adrian,

Is it possible for you to post the config of both devices ?

regards

Harish,

Beginner

Re: Cisco ASA 5510 VPN Site to Site IKE Initiator Unable to find

Of Course.

Thank you for you response:

Cisco ASA. T VPN Site to Site is called Kaltex and the VPN Profile is "temsavpn"

----------------------------------------------------------------------------------

sh run
: Saved
:
ASA Version 8.2(1)
!
hostname vpncsr
enable password Wiw6zkg0NYyN5.Xr encrypted
passwd Wiw6zkg0NYyN5.Xr encrypted
names
!
interface Ethernet0/0
description CSR_LAN
nameif inside
security-level 100
ip address 172.23.191.23 255.255.255.128
rip send version 2
rip receive version 2
rip authentication key key_id 1
!
interface Ethernet0/1
description Publica
nameif outside
security-level 0
ip address 201.161.14.214 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
object-group network KaltexAltamira
network-object host 128.1.100.204
network-object host 128.1.100.211
network-object host 128.1.100.212
network-object host 128.1.101.212
network-object host 128.1.102.212
network-object host 128.1.103.212
network-object host 128.1.104.212
network-object host 128.1.105.212
network-object host 128.1.106.212
network-object host 128.1.106.213
network-object host 128.1.107.212
network-object host 128.1.108.212
network-object host 128.1.108.213
network-object host 128.1.115.180
network-object host 128.1.115.181
network-object host 128.1.115.182
network-object host 128.1.115.212
network-object host 128.1.115.213
network-object host 128.1.187.190
access-list inside_access_in remark CSR
access-list inside_access_in extended permit ip 172.23.191.0 255.255.255.128 any log
access-list inside_nat_outbound remark NAT Salida Internet
access-list inside_nat_outbound extended permit ip 172.23.191.0 255.255.255.128 any
access-list outside_access_in extended permit ip object-group KaltexAltamira 172.23.191.0 255.255.255.128
access-list outside_access_in remark Internet ICMP Troubleshooting
access-list outside_access_in extended permit icmp host 4.2.2.2 interface outside log
access-list inside_nat0_outbound extended permit ip 172.23.191.0 255.255.255.128 17.10.40.80 255.255.255.248
access-list inside_nat0_outbound remark CityExpressH Cisco Qro-Jurica In
access-list inside_nat0_outbound extended permit ip 172.23.191.0 255.255.255.128 192.168.67.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.23.191.0 255.255.255.128 192.168.58.0 255.255.255.0
access-list inside_nat0_outbound remark VPNS2S KaltexAltamira
access-list inside_nat0_outbound extended permit ip 172.23.191.0 255.255.255.128 object-group KaltexAltamira
access-list outside_cryptomap remark CityExpressH Cisco Qro-Jurica Out
access-list outside_cryptomap extended permit ip 172.23.191.0 255.255.255.128 192.168.67.0 255.255.255.0 log
access-list outside_cryptomap_1 extended permit ip host 172.23.91.83 host 191.168.14.3
access-list ripACL_FR standard permit 192.168.14.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 172.23.191.0 255.255.255.128 192.168.58.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 172.23.191.0 255.255.255.128 object-group KaltexAltamira
pager lines 24
logging enable
logging buffer-size 10000
logging buffered debugging
logging trap debugging
logging asdm informational
logging host inside 172.23.191.86
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool PoolVPNCliente 17.10.40.80-17.10.40.87 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
router rip
network 172.23.0.0
version 2
distribute-list ripACL_FR in interface inside
!
route outside 0.0.0.0 0.0.0.0 201.161.14.209 1
route inside 172.23.191.0 255.255.255.0 172.23.191.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.23.191.0 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map ceqrojuri 1 match address outside_cryptomap
crypto dynamic-map ceqrojuri 1 set transform-set ESP-3DES-SHA

crypto dynamic-map hcereforma 2 match address outside_cryptomap_1
crypto dynamic-map hcereforma 2 set pfs
crypto dynamic-map hcereforma 2 set transform-set ESP-3DES-SHA
crypto dynamic-map ceaguasc 3 match address outside_cryptomap_2
crypto dynamic-map ceaguasc 3 set transform-set ESP-3DES-SHA
crypto dynamic-map temsavpn 4 match address outside_cryptomap_3
crypto dynamic-map temsavpn 4 set transform-set ESP-3DES-SHA
crypto map outside_map 1 ipsec-isakmp dynamic ceqrojuri
crypto map outside_map 2 ipsec-isakmp dynamic hcereforma
crypto map outside_map 3 ipsec-isakmp dynamic ceaguasc
crypto map outside_map 4 ipsec-isakmp dynamic temsavpn
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.23.191.0 255.255.255.128 inside
telnet timeout 5
ssh 172.23.191.0 255.255.255.128 inside
ssh 17.10.40.0 255.255.255.0 inside

ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc
group-policy VPNClient internal
group-policy VPNClient attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol IPSec

username admin password 3fXR6Q5xXdv8D5f1 encrypted privilege 15
username aortega attributes
vpn-group-policy VPNClient
tunnel-group VPNClient type remote-access
tunnel-group VPNClient general-attributes
address-pool PoolVPNCliente
default-group-policy VPNClient
tunnel-group VPNClient ipsec-attributes
pre-shared-key *
tunnel-group ceqrojuri type ipsec-l2l
tunnel-group ceqrojuri ipsec-attributes
pre-shared-key *
tunnel-group hcereforma type ipsec-l2l
tunnel-group hcereforma ipsec-attributes
pre-shared-key *
tunnel-group ceaguasc type ipsec-l2l
tunnel-group ceaguasc ipsec-attributes
pre-shared-key *
tunnel-group temsavpn type ipsec-l2l
tunnel-group temsavpn ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:94d990f92ca84163823c6a6d05e0fef8
: end

----------------------------------------------------------------------------------

----------------------------------------------------------------------------------

----------------------------------------------------------------------------------

C880 Configuration

----------------------------------------------------------------------------------

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.10.01 14:10:06 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...

Current configuration : 12532 bytes
!
! Last configuration change at 18:51:16 UTC Mon Oct 1 2012 by temsa
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname K_Fibers
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authentication ppp default local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-2699844888
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2699844888
revocation-check none
rsakeypair TP-self-signed-2699844888
!
!
crypto pki certificate chain TP-self-signed-2699844888
certificate self-signed 01
  3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F522D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32363939 38343438 3838311E 170D3131 30333138 32303031
  35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C642D 5369676E 65642D43 65727469 66696361 74652D32 36393938
  34343838 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C342 4FCF3F80 40696FB0 70319901 A04D0297 5F06C51D 66A242F4 29A5DBC4
  04EB65DD E526737A DA6A3F60 575EE511 CCA8CD8D 93613465 A7A739D1 5DC13FB0
  D5BB0EF6 39AF3842 7583DC83 CC68BA93 4FCF81E8 5D5A7CA8 4F021AF3 FFB7CD67
  EBC63ED9 01FC3A69 82427955 1A9BF240 EBE7F8D7 249515B7 8963DDE8 2F418802
  3F990203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
  551D1104 1A301882 164B5F46 69626572 732E6B61 6C746578 2E636F6D 2E6D7830
  1F060355 1D230418 30168014 78E1A0EB D91196F3 7B4904EF AE88B35B 2834C24B
  301D0603 551D0E04 16041478 E1A0EBD9 1196F37B 4904EFAE 88B35B28 34B24B30
  0D06092A 864886F7 0D010104 05000381 8100411E B3F6B1B7 CF508AFE 1554ECF0
  75D76F56 DC6A194D 5DD217CE BE39875C C42801CB F1BFF1BE 49B3AFF8 74EE5455
  F411CAD4 EEFA1CC7 A7C9CFA9 838934B3 0EF6B7BB 450021AF A054E20A B75111C4
  EFD9E82E 07728040 D608709C C6E98540 43E72926 6BEEAF59 09B250B5 3A58F57A
  1EEE298D 0CE2819A 8ED8949C 828DB679 28C6
   quit
ip source-route
!
!
ip dhcp excluded-address 128.1.100.204
!
ip dhcp pool VoIP
   import all
   network 128.1.100.0 255.255.255.0
   default-router 128.1.100.204
   option 150 ip 172.16.1.8
!
!
ip cef
ip domain name kaltex.com.mx
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip name-server 4.2.2.3
ip name-server 128.1.155.185
ip ddns update method DDNSUPDATE
HTTP
add http://raulhdez9:hernandez9@members.dyndns.org/nic/update?system=dyndns&hostname=fibers.dyndns-work.com&myip=>
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
ip ddns update method test
HTTP
!
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887-K9 sn FTX15040A4L
!
!
archive
log config
  hidekeys

!
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 61200
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key hectorgo address 187.141.32.162 no-xauth
crypto isakmp key kaltex12 address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group temsa
key k3Rt234
pool vpn_pool
acl 130
!
crypto isakmp peer address 201.161.14.214
set aggressive-mode password t452sa1233$
set aggressive-mode client-endpoint fqdn temsavpn
crypto isakmp profile VPNuser
   description VPN clients profile
   match identity group temsa
   client authentication list clientauth
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set vpnclient esp-3des esp-sha-hmac
crypto ipsec transform-set fibers esp-3des esp-sha-hmac
!
crypto ipsec profile kaltex
set security-association lifetime seconds 120
set transform-set strong
!
!
crypto dynamic-map dynmap 20
set transform-set vpnclient
set isakmp-profile VPNuser
reverse-route
!
!
crypto map clientmap 15 ipsec-isakmp
set peer 201.161.14.214
set transform-set fibers
match address 100
crypto map clientmap 20 ipsec-isakmp dynamic dynmap
!
crypto map vpn 10 ipsec-isakmp
! Incomplete
set peer 187.141.32.162
set transform-set fibers
match address 120
!
!
!
!
!
interface Tunnel0
bandwidth 4000000
ip address 192.168.1.9 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication kaltex12
ip nhrp map multicast dynamic
ip nhrp map 192.168.1.1 201.122.116.33
ip nhrp map multicast 201.122.116.1
ip nhrp map multicast 201.122.116.33
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile kaltex shared
!
!
interface Tunnel2
bandwidth 4000000
ip address 10.10.20.9 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication kaltex12
ip nhrp map multicast dynamic
ip nhrp map 10.10.20.1 201.122.116.26
ip nhrp map multicast 201.122.116.9
ip nhrp map multicast 201.122.116.26
ip nhrp network-id 2
ip nhrp nhs 10.10.20.1
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile kaltex shared
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
!
pvc 8/35
  pppoe-client dial-pool-number 1
!
pvc 8/81
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 128.1.100.204 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1400
!
!
interface Dialer1
ip ddns update hostname fibers.dyndns-work.com
ip ddns update DDNSUPDATE
ip address negotiated
ip mtu 1490
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1440
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname kaltexfibers
ppp chap password 7 050A02022842450F
ppp pap sent-username kaltexfibers password 7 0207005602080427
no cdp enable
crypto map clientmap
!
!
!
router eigrp 100
network 10.10.20.0 0.0.0.255
network 128.1.100.0 0.0.0.255
network 192.168.1.0
redistribute static metric 1 1 255 1 1500 route-map static_Fibers
offset-list 10 in 40000 Tunnel0
eigrp stub connected static
!
ip local pool vpn_pool 128.1.100.110 128.1.100.130
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 180 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 128.1.101.0 255.255.255.0 128.1.100.211
ip route 128.1.102.0 255.255.255.0 128.1.100.211
ip route 128.1.103.0 255.255.255.0 128.1.100.211
ip route 128.1.104.0 255.255.255.0 128.1.100.211
ip route 128.1.105.0 255.255.255.0 128.1.100.211
ip route 128.1.106.0 255.255.255.0 128.1.100.211
ip route 128.1.107.0 255.255.255.0 128.1.100.211
ip route 128.1.108.0 255.255.255.0 128.1.100.211
ip route 128.1.109.0 255.255.255.0 128.1.100.211
ip route 128.1.110.0 255.255.255.0 128.1.100.211
ip route 128.1.111.0 255.255.255.0 128.1.100.211
ip route 128.1.112.0 255.255.255.0 128.1.100.211
ip route 128.1.113.0 255.255.255.0 128.1.100.211
ip route 128.1.114.0 255.255.255.0 128.1.100.211
ip route 128.1.115.0 255.255.255.0 128.1.100.211
ip route 128.1.116.0 255.255.255.0 128.1.100.211
ip route 128.1.117.0 255.255.255.0 128.1.100.211
ip route 128.1.118.0 255.255.255.0 128.1.100.211
ip route 128.1.119.0 255.255.255.0 128.1.100.211
ip route 128.1.155.0 255.255.255.0 128.1.100.211
ip route 128.1.170.0 255.255.255.0 192.168.1.1
ip route 128.1.171.0 255.255.255.0 192.168.1.1
ip route 128.1.177.0 255.255.255.0 192.168.1.1
ip route 128.1.179.0 255.255.255.0 192.168.1.1
!
ip sla 1
icmp-echo 192.168.1.1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 10.10.20.1
ip sla schedule 2 life forever start-time now
access-list 10 permit 128.1.1.0 0.0.0.255
access-list 10 permit 128.1.160.0 0.0.0.255
access-list 10 permit 128.1.70.0 0.0.0.255
access-list 10 permit 128.1.80.0 0.0.0.255
access-list 30 permit 128.1.101.0 0.0.0.255
access-list 30 permit 128.1.102.0 0.0.0.255
access-list 30 permit 128.1.103.0 0.0.0.255
access-list 30 permit 128.1.104.0 0.0.0.255
access-list 30 permit 128.1.105.0 0.0.0.255
access-list 30 permit 128.1.106.0 0.0.0.255
access-list 30 permit 128.1.107.0 0.0.0.255
access-list 30 permit 128.1.108.0 0.0.0.255
access-list 30 permit 128.1.109.0 0.0.0.255
access-list 30 permit 128.1.110.0 0.0.0.255
access-list 30 permit 128.1.111.0 0.0.0.255
access-list 30 permit 128.1.112.0 0.0.0.255
access-list 30 permit 128.1.113.0 0.0.0.255
access-list 30 permit 128.1.114.0 0.0.0.255
access-list 30 permit 128.1.115.0 0.0.0.255
access-list 30 permit 128.1.116.0 0.0.0.255
access-list 30 permit 128.1.117.0 0.0.0.255
access-list 30 permit 128.1.118.0 0.0.0.255
access-list 30 permit 128.1.119.0 0.0.0.255
access-list 30 permit 128.1.155.0 0.0.0.255
access-list 30 permit 172.16.1.0 0.0.0.255
access-list 100 permit ip host 128.1.100.211 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.100.212 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.101.212 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.102.212 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.103.212 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.104.212 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.105.212 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.106.212 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.106.213 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.107.212 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.108.212 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.108.213 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.115.180 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.115.181 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.115.182 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.115.212 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.115.213 172.23.191.0 0.0.0.127
access-list 100 permit ip host 128.1.100.204 172.23.191.0 0.0.0.128
access-list 130 permit ip 128.1.100.0 0.0.0.255 128.1.100.0 0.0.0.255
access-list 130 permit ip 128.1.115.0 0.0.0.255 128.1.100.0 0.0.0.255
access-list 130 permit ip 128.1.1.0 0.0.0.255 128.1.100.0 0.0.0.255
access-list 130 permit ip 128.1.155.0 0.0.0.255 128.1.100.0 0.0.0.255
access-list 130 permit ip 128.1.10.0 0.0.0.255 128.1.100.0 0.0.0.255
no cdp run

!
!
!
!
route-map static_Fibers permit 10
match ip address 30
!
!
control-plane
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end

K_Fibers#    

Re: Cisco ASA 5510 VPN Site to Site IKE Initiator Unable to find

Hello Adrian,

Instead of object group 'KaltexAltamira' with different hosts, can you use 128.1.0.0/16 for the intresting traffic. Something like below

access-list outside_cryptomap_3 extended permit ip 172.23.191.0 255.255.255.128   128.1.0.0 255.255.0.0

Please clear the isakmp after the change and re initiate the connection

let me know the result

regards

Harish

Beginner

Cisco ASA 5510 VPN Site to Site IKE Initiator Unable to find pol

Harish

The VPN only work if the communication start from Kaltex (from host behind C880), otherwise the VPN not work. If host behind C880 not send information, the tunnel go to down although a extended ping is configured in ASA Side (ping from 172.23.191.0/25) to the host defined in group KaltexAltamira.

The Tunnel going to up only in these circunstances.

Cisco ASA 5510 VPN Site to Site IKE Initiator Unable to find pol

Adrian,

This is a dynamic to static LAN-to-LAN right?

If so, you can only initiate the tunnel from the dynamic peer.

Thanks.

Beginner

Cisco ASA 5510 VPN Site to Site IKE Initiator Unable to find pol

Javier

The VPN is a dynamic LAN to LAN (dynamic IP from C880 and static IP from ASA). The issue is that this configuration was working fine with other device (a Nortel Router VPN or Contivity device) vs C880.

This behavior is appearing since the VPN was migrated to ASA.

I have a few weeks, at most two or three weeks, working with Cisco ASA. I am completely new to this technology and for these reasons I generated this post, because the original VPN site to site between Contivity (Nortel) and C880 was working at 100%.

Beginner

Cisco ASA 5510 VPN Site to Site IKE Initiator Unable to find pol

Hi Javier and Harish

Because only I can initiate the tunnel (communication) from the dynamic peer, the solution was summarize all network segments defined in each ACL for interesting traffic and create a IP SLA for keep up the tunel.

Originally I was defined the next ACLs

access-list 100 permit ip host 128.1.100.211 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.100.212 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.101.212 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.102.212 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.103.212 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.104.212 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.105.212 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.106.212 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.106.213 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.107.212 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.108.212 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.108.213 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.115.180 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.115.181 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.115.182 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.115.212 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.115.213 172.23.191.0 0.0.0.127

access-list 100 permit ip host 128.1.100.204 172.23.191.0 0.0.0.128

And Only some segments have communication because only SA was generated when ISR LAN started the communication. With a summarized network (128.1.96.0/19) only a SA was generated and I can get communication with all other segments.

I have the same problem =(

I have the same problem =(

On my side I have Cisco PIX515 (pix804-28). On other side I have Cisco router 892 (c890-universalk9-mz.154-3.M4).

There are few entries in ACL on both sides for cryptomap:

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.16.61.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.16.192.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.16.154.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 10.117.10.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 172.17.19.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.111.0 0.0.0.255

Now everything works fine. But I try to move my Nagios behind Cisco Router. When I initate IPSec traffic from it, then IPSec disconnecting every minute. Cisco PIX shows errors: Unable to find policy.

Can samebody give me a tip who to configure IPSec bi-directional?

Highlighted

Death forum =(((

Dead forum =(((

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here