cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

106
Views
0
Helpful
12
Replies

Help VPN site to site ASA 5510

Hello,

To begin, I wish you a happy New Year !

I have to establish a VPN site to site with a customer but I don't have much knowledge.

I based on forums and tutos

I first created my objects. I put them in a group.

I created an access rule.  MyNetwork to Customer group with IP & ICMP permit

I configured the site to site VPN with the wizard.

My inside network: 172.23.12.0/24

My Firewall: ASA 5510

IKEV1 :

AES-256

SHA-1

Group 2 (1024-bit)

Lifetime : 86400

IKEV2 :

AES-256

ESP-SHA

Lifetime : 28800

PFS : NO

I put the same key (the customer gave me) for IKEV1 & IKEV2

 

MyCustomer :

Encryption domain : 193.42.51.x/24, 195.118.x.x/24 & 172.17.x.x/12 (for the moment, i don’t use)

VPN Internet Address : 193.42.71.X

The customer gave me an IP (test) that allows the ping (ICMP): 172.29.0.20

I didn’t create an object for 172.29.0.20

 

When I am pinging from 172.23.12.2 to 172.29.0.20, I have a mistake in the log :

 

4          Jan 03 2016 09:10:39        106023          172.23.12.2              172.29.0.20              Deny icmp src inside:172.23.12.2 dst outside:172.29.0.20 (type 8, code 0) by access-group "inside_access_in" [0x0, 0x0]

 

Here is my setup :

object-group network MyNetwork

 network-object host 172.23.12.2

 network-object 172.23.12.0 255.255.255.0

 

object-group network Customer

 network-object 193.42.51.X 255.255.255.0

 network-object 195.118.X.X 255.255.255.0

 

access-list VPN-Customer extended permit tcp 172.23.12.0 255.255.255.0 object-group DM_INLINE_NETWORK_18

nat (inside,outside) source static MyNetwork MyNetwork destination static Customer Customer route-lookup

!

route inside 172.23.12.0 255.255.255.0 10.10.8.2 1

 

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption 3des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

 

crypto map outside_map 5 match address VPN-Customer

crypto map outside_map 5 set peer 193.42.71.X

crypto map outside_map 5 set ikev1 transform-set ESP-AES-256-SHA

crypto map outside_map 5 set ikev2 ipsec-proposal AES256

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

 

crypto ikev2 policy 1

 encryption aes-256

 integrity sha

 group 5

 prf sha

 lifetime seconds 86400

 

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

crypto ikev1 enable outside

crypto ikev1 policy 1

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 60

 authentication pre-share

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 90

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 110

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

 

tunnel-group 193.42.71.X type ipsec-l2l

tunnel-group 193.42.71.X general-attributes

 default-group-policy GroupPolicy1

tunnel-group 193.42.71.X ipsec-attributes

 ikev1 pre-shared-key ****

 ikev2 remote-authentication pre-shared-key ****

 ikev2 local-authentication pre-shared-key ****

 

 Can you help me please ?

Thank you very much.

Nicolas

12 REPLIES 12
Beginner

Hi,I think you have a few

Hi,

I think you have a few issues.
 

Firstly, it’s likely you have an access list applied on the inside interface named ‘inside_access_in’. Traffic will need to be permitted here i.e. access-list inside_access_in extended permit icmp object-group INSIDE-NETWORKS object-group DESTINATION-NETWORKS - this is what the log message indicates.


Seondly the VPN access-list and NAT differ. The access list VPN-customer identifies the interesting traffic for encryption, you’re permitting 172.23.12.0/24 (your network) to an object-group DM_INLINE_NETWORK_18? What’s that?

You have setup identity NAT as NAT is processed before VPN. The Customer object  is configured as:

object-group network Customer
 network-object 193.42.51.X 255.255.255.0
 network-object 195.118.X.X 255.255.255.0

your ICMP request is to 172.29.0.20 not included above. The log indicates it’s denied by an ACL - inside_access_in but even if permitted the identity NAT will be ignored and if you PAT to your outside interface you may find your source address changes and no longer will be picked up by the access-list VPN-customer.

The remote end will need the same ACLs in reverse to tunnel the interesting traffic.

Joel.

Hi Joel,

Hi Joel,

Thank you for your answer.

In ACL Manager (ASDM), I see a ACL Name : “inside_access_in

Now I put my rule in “Inside_access_in” :

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_6 172.23.12.0 255.255.255.0 object-group Network_Customer

For your information :

object-group protocol DM_INLINE_PROTOCOL_6

 protocol-object ip

 protocol-object icmp

 

Network_Customer : 193.42.51.x/24, 195.118.x.x/24 & 172.29.0.20/32

Correct 172.29.0.20/32 in “Network_Customer” ?

 

The old rule was in a ACL Name “VPN-Customer” :

access-list VPN-Customer extended permit tcp 172.23.12.0 255.255.255.0 object-group DM_INLINE_NETWORK_18

 

Now :

In Acces Rules (ASDM -> Firewall) : I see the same rule “MyNetwork to Network_Customer with permit IP, ICMP in INSIDE interface.

In NAT Rules (ADSM -> Firewall) : I don't see rule. I have to create a rule ? For 172.29.0.20 ?

In Connection Profiles (ASDM -> Site to site VPN) : I see in Remote Network "193.42.51.x / 24 & 195.118.xx / 24". Correct ?

Thank you for your help.

Nicolas

Beginner

Hi Nicholas,

Hi Nicholas,

Would you be able to copy the relevant config again as you did in the first post? With the necessary object-groups?

Joel

Hi Joel,

Hi Joel,

Here is :

object network 172.29.0.20
host 172.29.0.20

object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp

object-group protocol group-ip-icmp
protocol-object ip
protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object udp
protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp

object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object tcp destination eq 3389

object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp

object-group network MyNetwork
network-object host 172.23.12.2
network-object 172.23.12.0 255.255.255.0

object-group network Network_Customer
network-object 193.42.51.0 255.255.255.0
network-object 195.118.2.0 255.255.255.0
network-object object 172.29.0.20

object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp

object-group network DM_INLINE_NETWORK_18
network-object 193.42.51.0 255.255.255.0
network-object 195.118.2.0 255.255.255.0

object-group network DM_INLINE_NETWORK_20
network-object 193.42.51.0 255.255.255.0
network-object 195.118.2.0 255.255.255.0
network-object object 172.29.0.20

access-list outside_cryptomap extended permit ip 172.23.12.0 255.255.255.0 object-group DM_INLINE_NETWORK_18

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_6 172.23.12.0 255.255.255.0 object-group DM_INLINE_NETWORK_20

nat (inside,outside) source static MyNetwork MyNetwork destination static Network_Customer Network_Customer route-lookup
!

route inside 172.23.12.0 255.255.255.0 10.10.8.2 1


no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 193.42.253.131
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_193.42.71.X internal
group-policy GroupPolicy_193.42.71.X attributes
vpn-tunnel-protocol ikev1 ikev2


tunnel-group 193.42.71.X type ipsec-l2l
tunnel-group 193.42.71.X general-attributes
default-group-policy GroupPolicy_193.42.71.X
tunnel-group 193.42.71.X ipsec-attributes
ikev1 pre-shared-key xxxxx
ikev2 remote-authentication pre-shared-key xxxxx
ikev2 local-authentication pre-shared-key xxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
policy-map type inspect esmtp ESMTP_allow_TLS
description Allow TLS from SMTP server
parameters
no mask-banner
allow-tls
match sender-address length gt 320
log
match MIME filename length gt 255
log
match cmd line length gt 512
log
match cmd RCPT count gt 100
log
match body line length gt 998
log
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:25aefb6cb3129178d73611d7845ds4f
: end

Thank you.

Nicolas

Beginner

Hi Nicolas,

Hi Nicolas,

You identifying the interesting traffic using the ACL outside_cryptomap. Your source is you network and the destination the object-group DM_INLINE_NETWORK_18

access-list outside_cryptomap extended permit ip 172.23.12.0 255.255.255.0 object-group DM_INLINE_NETWORK_18

The DM_INLINE_NETWORK_18 object-group is missing the subnet/host you're trying to ping i.e 172.29.0.20. Without this the ASA will not know this host is to be encrypted for this L2L. 

Joel

Hi Joel,

Hi Joel,

Here is :

object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp

object-group network DM_INLINE_NETWORK_18
network-object 193.42.51.0 255.255.255.0
network-object 195.118.2.0 255.255.255.0
network-object object 172.29.0.20

object-group network DM_INLINE_NETWORK_20
network-object 193.42.51.0 255.255.255.0
network-object 195.118.2.0 255.255.255.0
network-object object 172.29.0.20

object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp

access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_7 172.23.12.0 255.255.255.0 object-group DM_INLINE_NETWORK_18

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_6 172.23.12.0 255.255.255.0 object-group DM_INLINE_NETWORK_20

Ok for you ?

I have to add a rule in NAT Rules ?

Thank you.

Nicolas

Beginner

Hi Nicholas,

Hi Nicholas,

You already have the identity NAT rule.

nat (inside,outside) source static MyNetwork MyNetwork destination static Network_Customer Network_Customer

Have you tried a initiating traffic since the changes?

Try packet-tracer to make sure no ACL or NAT is causing issues.

If the tunnel is not working you will need to run debug.

debug crypto isakmp

debug crypto ipsec

Remember to undebug. Need to figure out if you're attempting to establish the tunnel.

Joel

Joel,

Joel,

I am pinging from 172.23.12.2 to 172.29.0.20 but it's not responding

Now in the log :

6 Jan 07 2016 21:21:08 302020 172.23.12.2 512 172.29.0.20 0 Built outbound ICMP connection for faddr 172.29.0.20/0 gaddr 194.154.208.158/512 laddr 172.23.12.2/512

I don't see a rule in NAT Rules (ASDM).

In Monitoring -> VPN -> Sessions -> Filter by "IPSEC Site-to-site" :

I don't see anything

An idea ?

Highlighted
Beginner

Lets try the following:

Lets try the following:

packet-tracer input inside icmp 172.23.12.2 8 0 172.29.0.20 detailed. Copy the output for me.

Can you also do a show run nat and copy the results?

You do have one NAT rule you've copied which is identity NAT but previously known as NAT0. NAT is processed before crypto and you don't want in your situation NAT/PAT.

nat (inside,outside) source static MyNetwork MyNetwork destination static Network_Customer Network_Customer route-lookup

Thanks

Joel.

When i do a packet tracer :

When i do a packet tracer :

step 2 of 6 Ingress Interface : INSIDE

source : 172.23.12.2 Destination : 172.29.0.20  Protocol : ICMP

step 3 of 6 ingress interface : OUTSIDE

source : 172.23.12.2 Destination : 172.29.0.20 Protocol : ICMP

Result: 172.23.12.2 -> 172.29.0.20 ICMP :  echo request

For show run nat :

nat (inside,outside) source static My_Network My_Network destination static Network_Customer Network_Customer route-lookup

Beginner

Hi Nicolas,

Hi Nicolas,

Clearly in different time zones. When you do a packet-tracer it should output more information such as below..

WXFWDEV002# packet-tracer input dev-network icmp 172.31.89.10 8 0 172.31.84.10

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         corporate-network

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dev-network-in in interface dev-network
access-list dev-network-in extended permit icmp object-group WW-Net-Dev any log
object-group network WW-Net-Dev
 network-object 172.31.89.0 255.255.255.0
Additional Information:

etc

Can I have that information to see if your NAT is being hit? I will need the full oputput. I don't use ASDM often, are you able to SSH to the device and run packet-tracer?

Joel

Hi Joel,

Hi Joel,

Now it's working :-)

I deleted all "object-group network" and I created "Object network".

I created a nonat rule (in ASDM > Nat Rule) : 172.23.12.2 > 172.29.0.20

I seem to see command in CLI and not apparaise in ASDM.

Example : nat (inside,outside) source static MyNetwork MyNetwork destination static Network_Customer Network_Customer route-lookup

I deleted "object-group network" in ASDM and I see them in CLI again.

Command to delete object-group : clear configure object-group network "name" ???

Here is the setup :

object network 172.29.0.20
host 172.29.0.20

object network 172.23.12.0
subnet 172.23.12.0 255.255.255.0

object network 172.23.12.2
host 172.23.12.2

object network 193.42.51.0
subnet 193.42.51.0 255.255.255.0

object network 195.118.2.0
subnet 195.118.2.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp

object-group protocol group-ip-icmp
protocol-object ip
protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp

object-group network DM_INLINE_NETWORK_18
network-object object 172.29.0.20
network-object object 193.42.51.0
network-object object 195.118.2.0

object-group network DM_INLINE_NETWORK_20
network-object object 172.29.0.20
network-object object 193.42.51.0
network-object object 195.118.2.0

object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp

access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_7 object 172.23.12.2 object-group DM_INLINE_NETWORK_18

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_6 object 172.23.12.2 object-group DM_INLINE_NETWORK_20

nat (inside,outside) source static 172.23.12.2 172.23.12.2 destination static 172.29.0.20 172.29.0.20

nat (inside,outside) source static MyNetwork MyNetwork destination static Network_Customer Network_Customer route-lookup

route inside 172.23.12.0 255.255.255.0 10.10.8.2 1

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 193.42.253.131
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


tunnel-group 193.42.71.X type ipsec-l2l
tunnel-group 193.42.71.X general-attributes
default-group-policy GroupPolicy1
tunnel-group 193.42.71.X ipsec-attributes
ikev1 pre-shared-key XXXX
ikev2 remote-authentication pre-shared-key XXXX
ikev2 local-authentication pre-shared-key XXXX


ciscoasa# packet-tracer input outside icmp 172.23.12.2 8 0 172.29.0.20

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group icmp_out_in in interface outside
access-list icmp_out_in extended deny ip any any
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Strange the "drop", no ???

I would like to thank you.

Nicolas

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here