07-19-2012 01:40 PM
I have an ASA which has a few static vpn sessions setup on it already from PIX boxes. I need a 2621 router to be able to setup a vpn connection to this
ASA. I have not been able to get it working.
Out from debugs on router:
*Mar 1 01:19:38.979: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 74.80.56.70, remote= ASA-IP,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x7348980A(1934137354), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 01:19:38.979: ISAKMP: received ke message (1/1)
*Mar 1 01:19:38.979: ISAKMP (0:0): SA request profile is (NULL)
*Mar 1 01:19:38.983: ISAKMP: local port 500, remote port 500
*Mar 1 01:19:38.983: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 01:19:38.983: ISAKMP: insert sa successfully sa = 830CF4BC
*Mar 1 01:19:38.983: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
*Mar 1 01:19:38.983: ISAKMP: Looking for a matching key for ASA-IP in default : success
*Mar 1 01:19:38.983: ISAKMP (0:1): found peer pre-shared key matching ASA-IP
*Mar 1 01:19:38.987: ISAKMP (0:1): constructed NAT-T vendor-07 ID
*Mar 1 01:19:38.987: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar 1 01:19:38.987: ISAKMP (0:1): constructed NAT-T vendor-02 ID
*Mar 1 01:19:38.987: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 01:19:38.987: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 01:19:38.987: ISAKMP (0:1): beginning Main Mode exchange
*Mar 1 01:19:38.987: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:19:48.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:19:48.991: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 1 01:19:48.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:19:48.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:19:58.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:19:58.991: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 1 01:19:58.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:19:58.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:20:08.979: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 74.80.56.70, remote= ASA-IP,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)
*Mar 1 01:20:08.979: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 74.80.56.70, remote= ASA-IP,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xCB8582CD(3414524621), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 01:20:08.983: ISAKMP: received ke message (1/1)
*Mar 1 01:20:08.983: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 01:20:08.983: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 74.80.56.70, remote ASA-IP)
*Mar 1 01:20:08.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:20:08.991: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar 1 01:20:08.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:20:08.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:20:18.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:20:18.991: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar 1 01:20:18.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:20:18.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:20:28.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:20:28.991: ISAKMP (0:1): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar 1 01:20:28.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:20:28.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:20:38.979: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 74.80.56.70, remote= ASA-IP,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)
*Mar 1 01:20:38.979: ISAKMP: received ke message (3/1)
*Mar 1 01:20:38.979: ISAKMP (0:1): peer does not do paranoid keepalives.
*Mar 1 01:20:38.979: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer ASA-IP) input queue 0
*Mar 1 01:20:38.983: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer ASA-IP) input queue 0
*Mar 1 01:20:38.983: ISAKMP (0:1): deleting node 1094787083 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar 1 01:20:38.983: ISAKMP (0:1): deleting node -1121124209 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar 1 01:20:38.983: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 01:20:38.983: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Mar 1 01:21:28.983: ISAKMP (0:1): purging node 1094787083
*Mar 1 01:21:28.983: ISAKMP (0:1): purging node -1121124209
*Mar 1 01:21:38.983: ISAKMP (0:1): purging SA., sa=830CF4BC, delme=830CF4BC
*Mar 1 01:21:38.983: CryptoEngine0: delete connection 1
ncollege#
Output from ASA:
Jul 19 14:17:57 [IKEv1]: IP = 74.80.56.70, Removing peer from peer table failed, no match!
Jul 19 14:17:57 [IKEv1]: IP = 74.80.56.70, Error: Unable to remove PeerTblEntry
Jul 19 14:18:27 [IKEv1]: IP = 74.80.56.70, Removing peer from peer table failed, no match!
Jul 19 14:18:27 [IKEv1]: IP = 74.80.56.70, Error: Unable to remove PeerTblEntry
I will note that I am doing some PAT the router location... at that location, I can not seem to ping the outside interface
of the ASA from the router. From the internal hosts that are not going through the vpn I can ping the outside interface
of the ASA.
Relevant config of router:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key MYKEY address ASA-IP no-xauth
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set myset2 esp-3des esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer ASA-IP
set transform-set myset2
match address 101
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1.108
description intRAnetVLAN
encapsulation dot1Q 108
ip address 192.168.8.1 255.255.255.0
!
interface FastEthernet0/1.109
description intERnetVLAN
encapsulation dot1Q 109
ip address 192.168.9.1 255.255.255.0
ip nat inside
ip nat pool overit 74.80.56.70 74.80.56.70 netmask 255.255.255.0
ip nat inside source route-map nonat pool overit overload
ip route 192.168.1.0 255.255.255.0 ASA-IP
ip route 192.168.3.0 255.255.255.0 ASA-IP
ip route 192.168.5.0 255.255.255.0 ASA-IP
!
access-list 1 permit 192.168.9.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 deny ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 deny ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 deny ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 permit ip 192.168.8.0 0.0.0.255 any
access-list 120 permit ip 192.168.9.0 0.0.0.255 any
!
route-map sip_nat permit 10
match ip address udp_rtp
!
route-map nonat permit 10
match ip address 120
07-20-2012 01:08 AM
The following configuration is incorrect and you should remove it:
ip route 192.168.1.0 255.255.255.0 ASA-IP
ip route 192.168.3.0 255.255.255.0 ASA-IP
ip route 192.168.5.0 255.255.255.0 ASA-IP
Are you saying that in front of the router there is a PAT device? and is there any acl that might be blocking the traffic?
It seems that you are just passing IKE Message 1 and there is no reply, so assuming that it doesn't even get to the ASA as you can't ping the ASA outside interface from the router.
07-20-2012 04:15 AM
Ok, I thought I had read in the CISCO docs I needed to tell the router to route those LANs to the ASA.. however,
there is nothing but the ISP on the other side of the router with a static (dhcp assigned) IP address. I can not for the life of me figure out why this router can not ping the ASA from the console. Even with extended attributes on ping and giving it the source of the fastethernet0/0, I can not ping the ASA or for example 8.8.8.8. However, on an inside client
I can ping anything on the intenet.
We have this particular ISP at two other locations, with the same service, and they are not blocking ports there, so I
do not think it is an ISP blocking issue. Does it look like I have some kind of strange PAT/NAT problem that would prevent the router itself from being able to ping?
Thanks.
07-20-2012 05:24 AM
I assume that the router has default route configured, right?
If you try to ping sourcing the ping from FastEthernet0/1.108 interface towards ASA LAN, anything in 192.168.1.0/24, 192.168.3.0/24 or 192.168.5.0/24, does the tunnel get established?
If not, can you please share the full config of both the router and the ASA. Thanks.
07-20-2012 11:34 AM
Ok, so I can not do a source ping. I will note again, I think this is part of the problem, from the 2621, I can not ping anything on the outside. I can ping inside, but not out. From the inside, after I removed the three nat statements you suggested, my internal hosts can not ping to the internet at all.
Here are my configs and some diags I tried.
::::::::::::::
cisco2600_07202012.txt
::::::::::::::
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ncollege
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
clock timezone CST -6
aaa new-model
!
!
aaa session-id common
ip subnet-zero
ip cef
!
!
ip domain name somedomain.com
!
ip audit po max-events 100
vlan ifdescr detail
!
!
!
!
!
!
!
!
!
!
!
!
username
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key mykey address ASA-IP
!
!
crypto ipsec transform-set myset2 esp-3des esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer ASA-IP
set transform-set myset2
match address 101
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
no ip address
speed auto
full-duplex
!
interface FastEthernet0/1.108
description intRAnetVLAN
encapsulation dot1Q 108
ip address 192.168.8.1 255.255.255.0
!
interface FastEthernet0/1.109
description intERnetVLAN
encapsulation dot1Q 109
ip address 192.168.9.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.120
description cameraVLAN
encapsulation dot1Q 120
ip address 192.168.120.1 255.255.255.0
!
interface FastEthernet0/1.127
description collegeVoiceVLAN
encapsulation dot1Q 127
ip address 192.168.127.1 255.255.255.0
!
ip nat pool overit 74.80.56.70 74.80.56.70 netmask 255.255.255.0
ip nat inside source route-map nonat pool overit overload
ip nat inside source static udp 192.168.9.10 5060 interface FastEthernet0/1 5060
ip nat inside source static udp 192.168.9.10 5060 74.80.56.70 5060 extendable
ip nat inside source static 192.168.9.10 74.80.56.70 route-map sip_nat
ip nat inside source static tcp 192.168.9.10 22 74.80.56.70 2222 extendable
ip http server
no ip http secure-server
ip classless
!
!
ip access-list extended udp_rtp
permit udp host 192.168.9.10 any range 10001 20000
access-list 1 permit 192.168.9.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 deny ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 deny ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 deny ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 permit ip 192.168.8.0 0.0.0.255 any
access-list 120 permit ip 192.168.9.0 0.0.0.255 any
!
route-map sip_nat permit 10
match ip address udp_rtp
!
route-map nonat permit 10
match ip address 120
!
!
!
!
!
!
line con 0
password 7
line aux 0
line vty 0 4
password 7
transport input ssh
!
ntp server 66.207.226.14
!
end
ncollege#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 74.80.56.1 to network 0.0.0.0
69.0.0.0/32 is subnetted, 1 subnets
S 69.1.184.70 [254/0] via 74.80.56.1, FastEthernet0/0
C 192.168.120.0/24 is directly connected, FastEthernet0/1.120
C 192.168.8.0/24 is directly connected, FastEthernet0/1.108
C 192.168.127.0/24 is directly connected, FastEthernet0/1.127
C 192.168.9.0/24 is directly connected, FastEthernet0/1.109
74.0.0.0/21 is subnetted, 1 subnets
C 74.80.56.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [254/0] via 74.80.56.1
ncollege#ping
Protocol [ip]:
Target IP address: 174.79.16.121
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 74.80.56.70
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 174.79.16.121, timeout is 2 seconds:
Packet sent with a source address of 74.80.56.70
.....
Success rate is 0 percent (0/5)
ncollege#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.8.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.8.1
.....
Success rate is 0 percent (0/5)
ncollege#
::::::::::::::
asa.txt
::::::::::::::
ASA Version 8.2(1)
!
terminal width 100
hostname mouton
domain-name oilcenter.com
enable password
passwd
names
name 192.168.3.28 surveillix2
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.7 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ASA-IP 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name oilcenter.com
same-security-traffic permit intra-interface
access-list outside extended permit icmp any any
access-list outside extended permit tcp any interface outside eq 3100
access-list outside extended permit tcp any interface outside range 3001 3004
access-list outside extended permit tcp any interface outside eq 9000
access-list outside extended permit tcp any interface outside eq 3389
access-list outside extended permit tcp any interface outside range 1999 2003
access-list 105 extended permit ip 192.168.1.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 105 extended permit ip 192.168.3.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 105 extended permit ip 192.168.5.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 105 extended permit ip 192.168.8.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 105 extended permit ip 192.168.10.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 105 extended permit ip 192.168.11.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 105 extended permit ip 192.168.18.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 105 extended permit ip 192.168.20.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 105 extended permit ip 192.168.22.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 90 extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 90 extended permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 90 extended permit ip 192.168.8.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 90 extended permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 90 extended permit ip 192.168.11.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 90 extended permit ip 192.168.16.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 90 extended permit ip 192.168.1.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list 90 extended permit ip 192.168.3.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list 90 extended permit ip 192.168.10.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list 90 extended permit ip 192.168.16.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list 90 extended permit ip 192.168.20.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list 90 extended permit ip 192.168.22.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 100 extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 100 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 100 extended permit ip 192.168.16.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 100 extended permit ip 192.168.18.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 100 extended permit ip 192.168.22.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 95 extended permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 95 extended permit ip 192.168.3.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 95 extended permit ip 192.168.5.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 95 extended permit ip 192.168.8.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 95 extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 95 extended permit ip 192.168.16.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 95 extended permit ip 192.168.1.0 255.255.255.0 192.168.22.0 255.255.255.0
access-list 95 extended permit ip 192.168.3.0 255.255.255.0 192.168.22.0 255.255.255.0
access-list 95 extended permit ip 192.168.10.0 255.255.255.0 192.168.22.0 255.255.255.0
access-list 95 extended permit ip 192.168.16.0 255.255.255.0 192.168.22.0 255.255.255.0
access-list 95 extended permit ip 192.168.18.0 255.255.255.0 192.168.22.0 255.255.255.0
access-list 95 extended permit ip 192.168.20.0 255.255.255.0 192.168.22.0 255.255.255.0
access-list 108 extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list 108 extended permit ip 192.168.3.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list 108 extended permit ip 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool rw 192.168.10.1-192.168.10.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 174.79.16.113 1
route outside ASA-GW 255.255.255.240 ASA-IP 1
route inside 192.168.1.0 255.255.255.0 192.168.3.1 1
route inside 192.168.3.0 255.255.255.0 192.168.3.7 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto ipsec transform-set rw esp-3des esp-sha-hmac
crypto ipsec transform-set rw mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map houston_dyn_map 60 set transform-set rw
crypto map houston 20 match address 90
crypto map houston 20 set peer 173.11.176.173
crypto map houston 20 set transform-set strong
crypto map houston 30 match address 100
crypto map houston 30 set peer 71.22.29.120
crypto map houston 30 set transform-set strong
crypto map houston 40 match address 95
crypto map houston 40 set peer 68.15.195.66
crypto map houston 40 set transform-set strong
crypto map houston 50 match address 105
crypto map houston 50 set peer 166.142.221.164
crypto map houston 50 set transform-set strong
crypto map houston 58 match address 108
crypto map houston 58 set peer 74.80.56.70
crypto map houston 58 set transform-set strong
crypto map houston 60 ipsec-isakmp dynamic houston_dyn_map
crypto map houston interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 9
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 192.168.3.2 \moutonasa_config
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.3.2
dns-server value 192.168.3.2
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value ocr-1.local
username remote password
tunnel-group DefaultRAGroup general-attributes
address-pool rw
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group 173.11.176.173 type ipsec-l2l
tunnel-group 173.11.176.173 ipsec-attributes
pre-shared-key *
tunnel-group 71.22.29.120 type ipsec-l2l
tunnel-group 71.22.29.120 ipsec-attributes
pre-shared-key *
tunnel-group 68.15.195.66 type ipsec-l2l
tunnel-group 68.15.195.66 ipsec-attributes
pre-shared-key *
tunnel-group 166.142.221.164 type ipsec-l2l
tunnel-group 166.142.221.164 ipsec-attributes
pre-shared-key *
tunnel-group 74.80.56.70 type ipsec-l2l
tunnel-group 74.80.56.70 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9b03f678bfdc3ec682a6c04b64b4b3ec
: end
07-22-2012 03:49 AM
On the ASA, you are using the NAT ip address on the router for the set peer command:
crypto map houston 58 set peer 74.80.56.70
This is not supported. You can't use the NATed ip on the router.
If you want to use that ip address, you would need to assign it to the loopback interface on the router and you can't use that ip address on the NAT statement.
interface loopback1
ip address 74.80.56.70 255.255.255.255
crypto map mymap local-address loopback1
07-22-2012 05:33 AM
I think I understand what you are saying... but it works on the pix units.. I suppose that is because they are
a firewall.
So, let me ask this, my ISP gave me two more IP addresses, but not in the same subnet (they gave us a block
of four, so only two are usable)... would it be possible for me to keep the nat statement and assign the other IP
address to the loopback for the VPN to use? Here is another question, if I wanted to assign another IP that my
ISP assigned (again, not in the same block as the main dhcp IP address) is that possible with the vlans on
fastethernet 0/1, even though I would assign one of them to the loopback interface?
Thank you for all of your help... we are trying to get this working for now until we get a good plan in place
of how to upgrade all of these old units (other offices have old pix and we want to move to an ASA or ISR).
07-22-2012 08:39 AM
Yes, you can assign a different public ip address assigned to you by your ISP on the loopback interface as long as this public IP is routed towards your router.
07-23-2012 07:46 AM
This is not working... I have set an IP from the ISP to my loopback. I can ping that IP address from the ASA now, and from the internet. The CISCO 2621 can not ping the ASA.
UPDATE: If I ping the ASA from the 2621 and use the ip address of the loopback as the source, that works.
When I go to a client on the .8 network behind the 2621 and try to ping say 192.168.1.1 to initiate a VPN between the 2621 and the ASA nothing happens on the ASA even though I have debugs on and a term mon going.
The changes I made on the 2600 are:
interface Loopback1
ip address 76.72.91.93 255.255.255.255
crypto map mymap
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
On the ASA:
crypto map houston 58 match address 108
crypto map houston 58 set peer 76.72.91.93
crypto map houston 58 set transform-set strong
tunnel-group 76.72.91.93 type ipsec-l2l
tunnel-group 76.72.91.93 ipsec-attributes
pre-shared-key *
I don't know why nothing is going on now, but I will say that those three ip route lines that you had me remove... I thought I needed them for this vpn to work.
Any help would be greatly appreciated.
Thanks.
07-23-2012 09:48 AM
Can you please remove the "crypto map mymap" from loopback interface and apply that to fa0/0 instead as originally configured.
Also from host behind the router, pls try to ping the ASA inside interface: 192.168.3.7
07-23-2012 11:33 AM
Did that, no change. I will note that I have the following debugging on on the router:
crypto isakmp debugging
crypto engine debugging
crypto ipsec debugging
Now, when I ping from the inside after doing a term mon on the router, I see nothing. No output, no initiation, nothing. If I try to source ping from the router, I still get no debug output. Nothing I do maked a debug output from the current session.
Also, if I do sh isakmp sa I see no peers.
07-23-2012 12:58 PM
Ok, I got it hitting the 2621 again... here is my current debug output from the 2621...
*Mar 5 00:52:31.603: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 74.80.56.70, remote= 174.79.16.121,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xACEEC20B(2901328395), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 5 00:52:31.603: ISAKMP: received ke message (1/1)
*Mar 5 00:52:31.603: ISAKMP (0:0): SA request profile is (NULL)
*Mar 5 00:52:31.607: ISAKMP: local port 500, remote port 500
*Mar 5 00:52:31.607: ISAKMP: set new node 0 to QM_IDLE
*Mar 5 00:52:31.607: ISAKMP: insert sa successfully sa = 830A27DC
*Mar 5 00:52:31.607: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
*Mar 5 00:52:31.607: ISAKMP: Looking for a matching key for 174.79.16.121 in default : success
*Mar 5 00:52:31.607: ISAKMP (0:1): found peer pre-shared key matching 174.79.16.121
*Mar 5 00:52:31.611: ISAKMP (0:1): constructed NAT-T vendor-07 ID
*Mar 5 00:52:31.611: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar 5 00:52:31.611: ISAKMP (0:1): constructed NAT-T vendor-02 ID
*Mar 5 00:52:31.611: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 5 00:52:31.611: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
*Mar 5 00:52:31.611: ISAKMP (0:1): beginning Main Mode exchange
*Mar 5 00:52:31.611: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 5 00:52:41.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 5 00:52:41.615: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 5 00:52:41.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 5 00:52:41.615: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 5 00:52:51.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 5 00:52:51.615: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 5 00:52:51.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 5 00:52:51.615: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 5 00:53:01.603: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 74.80.56.70, remote= 174.79.16.121,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)
*Mar 5 00:53:01.603: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 74.80.56.70, remote= 174.79.16.121,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x4A760EC5(1249251013), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 5 00:53:01.607: ISAKMP: received ke message (1/1)
*Mar 5 00:53:01.607: ISAKMP: set new node 0 to QM_IDLE
*Mar 5 00:53:01.607: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 74.80.56.70, remote 174.79.16.121)
*Mar 5 00:53:01.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 5 00:53:01.615: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar 5 00:53:01.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 5 00:53:01.615: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 5 00:53:11.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 5 00:53:11.615: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar 5 00:53:11.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 5 00:53:11.615: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 5 00:53:21.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 5 00:53:21.615: ISAKMP (0:1): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar 5 00:53:21.615: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 5 00:53:21.615: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 5 00:53:31.603: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 74.80.56.70, remote= 174.79.16.121,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)
*Mar 5 00:53:31.603: ISAKMP: received ke message (3/1)
*Mar 5 00:53:31.603: ISAKMP (0:1): peer does not do paranoid keepalives.
*Mar 5 00:53:31.603: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 174.79.16.121) input queue 0
*Mar 5 00:53:31.607: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 174.79.16.121) input queue 0
*Mar 5 00:53:31.607: ISAKMP (0:1): deleting node 1699033836 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar 5 00:53:31.607: ISAKMP (0:1): deleting node 2014091798 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar 5 00:53:31.607: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 5 00:53:31.607: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_DEST_SA
I think that reason given means that they keys are not the same, but I have double checked it.
07-23-2012 01:21 PM
Also, I keep seeing a lot of this on the console now...
*Mar 5 01:11:16.175: CRYPTO_ENGINE: key process suspended and continued
*Mar 5 01:11:16.375: CRYPTO_ENGINE: key process suspended and continued
*Mar 5 01:11:16.575: CRYPTO_ENGINE: key process suspended and continued
*Mar 5 01:11:16.775: CRYPTO_ENGINE: key process suspended and continued
*Mar 5 01:11:16.979: CRYPTO_ENGINE: key process suspended and continued
*Mar 5 01:11:17.175: CRYPTO_ENGINE: key process suspended and continued
*Mar 5 01:11:17.379: CRYPTO_ENGINE: key process suspended and continued
*Mar 5 01:11:17.579: CRYPTO_ENGINE: key process suspended and continued
*Mar 5 01:11:17.779: CRYPTO_ENGINE: key process suspended and continued
UPDATE: added debug statements on the ASA... the ONLY messages that appear on the ASA when I try to ping from a client to the ASAs internal network is...
[IKEv1]: IP = 74.80.56.70, Error: Unable to remove PeerTblEntry
[IKEv1]: IP = 74.80.56.70, Removing peer from peer table failed, no matc!
Which I find odd... I suppose the secondary IP address I am using is not showing up on the front side of the router?
07-23-2012 06:50 PM
Any chance you can save the router config and reload it?
07-23-2012 06:52 PM
I have tried that, I can try it again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide