Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
861
Views
0
Helpful
4
Replies

VPN tunnel not starting

troosters
Level 1
Level 1

‎09-24-2014 02:10 AM

Hello, I have a CISCO 5505 with ASDM version 6.2 and ASA version 8.2, which is broken. I replaced it with a CISCO 5505 , but the ASDM version is 7 and the ASA version is 9.0.1

The connection of the OLD CISCO looks like :

STORED POLICY
Secure Unit Authentication Enabled : Policy not stored
Split Tunnel Networks              : None
Backup Servers                     : None

RELATED CONFIGURATION
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.128 255.255.255.248
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any object cisco
access-list inside_nat0_outbound extended permit ip any 10.0.0.16 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object Genk
access-list outside_access_in extended permit tcp any host 192.168.1.7 eq 3390
access-list outside_access_in extended permit ip any 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq ssh
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit udp any any object-group VPN
access-list outside_access_in extended permit tcp any interface outside eq 9675
access-list outside_access_in extended permit tcp any interface outside eq 9676
access-list outside_access_in extended permit tcp any interface outside eq 3400
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 50001
access-list outside_access_in extended permit tcp any interface outside eq 40001
access-list outside_access_in extended permit tcp any interface outside eq 50002
access-list outside_access_in extended permit tcp any interface outside eq 50003
access-list outside_access_in extended permit tcp any interface outside eq 50004
access-list outside_access_in extended permit tcp any interface outside eq 50005
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list Consenso_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Genk
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 81.99.99.99
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp nat-traversal 3600

 

 

AND the new one looks like :

 

STORED POLICY
Secure Unit Authentication Enabled : Policy not stored
Split Tunnel Networks              : None
Backup Servers                     : None

RELATED CONFIGURATION
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 Genk 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 Genk 255.255.255.0
access-list inside_nat0_outbound extended permit ip any VPN 255.255.255.248
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.128 255.255.255.248
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 10.0.0.16 255.255.255.240
access-list inside_nat0_outbound extended permit ip any host Cisco
access-list outside_access_in extended permit tcp any host 192.168.1.7 eq 3390
access-list outside_access_in extended permit tcp any host TSTongeren object-group RDP
access-list outside_access_in extended permit ip any 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq ssh
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit udp any any object-group VPN
access-list outside_access_in extended permit tcp any interface outside eq 9675
access-list outside_access_in extended permit tcp any interface outside eq 9676
access-list outside_access_in extended permit tcp any interface outside eq 3400
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 50001
access-list outside_access_in extended permit tcp any interface outside eq 40001
access-list outside_access_in extended permit tcp any interface outside eq 50002
access-list outside_access_in extended permit tcp any interface outside eq 50003
access-list outside_access_in extended permit tcp any interface outside eq 50004
access-list outside_access_in extended permit tcp any interface outside eq 50005
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list Consenso_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 81.99.99.99
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000

 

 

I noticed NAT rules looks different as EXEMPT rules cannot be created anymore, but Internet is working when I connect the new one. But the VPN connection does not want to start ?

Can any expert have a look at it and help me get this working ?

 

Labels:
0 Helpful
4 Replies 4

laramire2
Level 1
Level 1

‎09-24-2014 05:07 PM

Hi Troosters,

I hope you're doing great

Could you please attach the current running configuration of  the new ASA? I noticed that you are missing some information but I would need to verify the configuration first. You could also take some debugs to see why the connection is not working. Please use the following debugs:

debug crypto condition peer x.x.x.x >>>> Public IP address where the client is connecting from (You can use whatismyip.com to find that out. 

debug crypto ikev1 200

debug crypto ipsec 200

 

Regards,

 

Luis.

 

 

0 Helpful

troosters
Level 1
Level 1
In response to laramire2

‎09-25-2014 02:18 AM

Hereby I post the config ZIP file. I must say, I cannot test the new config on the live system right now as the "old" CISCO is still connected and the VPN is crucial.

 

 

ciscon4488028220259755806.zip
0 Helpful

Marius Gunnerud
VIP
VIP
In response to troosters

‎09-25-2014 03:52 AM

The following command is the problem:

nat (any,outside) source dynamic any interface

You are using dynamic NAT in the manual NAT section and it is placed above all your other NAT statements...Here is the copy past from your config file

nat (any,outside) source dynamic any interface

!

nat (inside,outside) after-auto source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN

nat (any,outside) after-auto source dynamic 192.168.1.7 interface service 3390 3390

nat (any,any) after-auto source static any any

Manual NAT is matched first then auto NAT and then after-auto manual NAT.

So here is what I suggest you do.

1.

no nat (any,outside) source dynamic any interface

nat (any,outside) after-auto source dynamic any interface

2.

no nat (inside,outside) after-auto source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN

3.

no nat (any,outside) after-auto source dynamic 192.168.1.7 interface service 3390 3390

nat (any,outside) source static192.168.1.7 interface service 3390 3390

4. This statement is not needed

no nat (any,any) after-auto source static any any

As Karthik has mentioned your outside_access_in ACL should specify the private IP of the NATed server and not the ASA outside interface (public IP).

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

nkarthikeyan
Level 7
Level 7

‎09-25-2014 12:19 AM

Hi,

 

Your NAT exempt rules should be created like this, which is very important change in post 8.3 Version.....

 

eg:

 

for this acl line

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.240

object network locallan

subnet 192.168.1.0 255.255.255.0

!

object network remotelan

subnet 10.10.10.0 255.255.255.240

!

nat (inside,outside) source static locallan locallan destination static remotelan remotelan no-proxy-arp.

 

Like this you have to create multiple objects for source and destination and do nat-exempt...... make sure you created different object group names even though you used the same subnet..... objects can be used once in your config....

 

 

And also you ACL's should be real address...... in 8.2 for outside interface acl will have the NATed IP.... here you should give real ip address..... if any.....

 

Regards

Karthik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents