04-12-2011 01:55 AM
Hi,
I have a 1800 series running IOS 12.4(6)T11, and an ASA 5505 running 8.2 that I am trying to connect using a lan 2 lan tunnel.
1800:
WAN a.b.c.141
LAN 192.168.0.0/24
ASA5505:
WAN x.y.z.125
LAN 10-180.3.0/24
The 1800 also has pptp clients, on 172.16.99.0/24 network.
Problem:
When I try to establish a connection from a host on one of the LANs to the other, I can see that phase 1 works. During phase 2, some interesting debug messages are seen:
002611: *Apr 11 19:15:24.142 UTC: map_db_find_best did not find matching map
002612: *Apr 11 19:15:24.142 UTC: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported
002613: *Apr 11 19:15:24.142 UTC: ISAKMP:(2031): IPSec policy invalidated proposal with error 32
002614: *Apr 11 19:15:24.142 UTC: ISAKMP:(2031): phase 2 SA policy not acceptable! (local a.b.c.141 remote x.y.z.125)
002615: *Apr 11 19:15:24.142 UTC: ISAKMP: set new node -1883245570 to QM_IDLE
002616: *Apr 11 19:15:24.142 UTC: ISAKMP:(2031):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2215023312, message ID = -1883245570
002617: *Apr 11 19:15:24.142 UTC: ISAKMP:(2031): sending packet to x.y.z.125 my_port 500 peer_port 500 (R) QM_IDLE
002618: *Apr 11 19:15:24.142 UTC: ISAKMP:(2031):purging node -1883245570
002619: *Apr 11 19:15:24.142 UTC: ISAKMP:(2031):deleting node -9204283 error TRUE reason "QM rejected"
002620: *Apr 11 19:15:24.142 UTC: ISAKMP:(2031):Node -9204283, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
During the negotiation, "show crypto isakmp" first show "ACTIVE", but after a minute or so switch to "ACTIVE (DELETED)".
From what I can see, the cisco 1800 seem to terminate the tunnel because it is unhappy with some of the phase 2 options.
# on 1800
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
a.b.c.141 x.y.z.125 QM_IDLE 2029 0 ACTIVE
# on 5505
2 IKE Peer: a.b.c.141
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
# after a minut or so on the 1800 (no difference on 5505s output)
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
a.b.c.141 x.y.z.125 QM_IDLE 2030 0 ACTIVE
a.b.c.141 x.y.z.125 MM_NO_STATE 2029 0 ACTIVE (deleted)
I suspect it could be because of NATing on either side. I am a little unsure on the NAT config of the 1800, could it be that it tries to nat the 192.168.0.0/24 when passing it over the tunnel?
Solved! Go to Solution.
04-12-2011 03:52 AM
Hi,
i don't see a nat exemption configured on the router.
Please try the following:
ip nat inside source route-map natmap interface overload.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
04-12-2011 03:52 AM
Hi,
i don't see a nat exemption configured on the router.
Please try the following:
ip nat inside source route-map natmap interface overload.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
04-12-2011 04:07 AM
As you can see, I already have a "ip nat" configured:
ip nat inside source list NAT_CLIENTS pool S_GLOBAL_IP_POOL overload
!
ip access-list standard NAT_CLIENTS
permit 192.168.0.0 0.0.255.255
permit 10.10.10.0 0.0.0.255
permit 172.16.99.0 0.0.0.255
In the above configuration, 192.1680.0.0/16 is permitted. I cant seem to add a rule that denies 192.168.0.0/24 (or /16) when destination is the LAN of the other side (10.180.3.0/24).
Secondly, if I issue "ip nat inside source route-map natmap interface overload.", wouldnt that overwrite the ip nat above? (if so, all offices going through that router would loose their internet connectivity)
04-12-2011 04:19 AM
As per your recomendation, I brought nat down on both interfaces -> cleared the translation table and finally replaced the "ip nat inside .... pool ...".
As you can se here, there is a clear exempt when src is LAN (192.168.0.0/24) on cisco 1800, and dst is the LAN behind the ASA (10.180.3.0/24):
ip nat pool S_GLOBAL_IP_POOL a.b.c.139 a.b.c.141 prefix-length 24
ip nat inside source route-map natmap pool S_GLOBAL_IP_POOL overload
!
ip access-list extended natrules
deny ip 192.168.0.0 0.0.0.255 10.180.3.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 any
permit ip 10.10.10.0 0.0.0.255 any
permit ip 172.16.99.0 0.0.0.255 any
!
route-map natmap permit 10
match ip address natrules
Show ip nat statistics confirms that the new route-map is in use:
Dynamic mappings:
-- Inside Source
[Id: 2] route-map natmap pool S_GLOBAL_IP_POOL refcount 1137
pool S_GLOBAL_IP_POOL: netmask 255.255.255.0
start a.b.c.139 end a.b.c.141
type generic, total addresses 3, allocated 2 (66%), misses 0
Queued Packets: 0
The error message seen by debuging does however persist, and with no other information in it.
04-13-2011 01:35 AM
Match identity + proper nat exemption solved the problem!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide