03-03-2012 03:52 PM
I am having all sorts of trouble connecting a Cisco RVS4000 to a Cisco ASA5505 over IPSec... I have used the "site to site" vpn wizard, I am new at this time so any advise would be good. I have a fress "factory reset" on my asa 5505...
03-03-2012 08:47 PM
Please post config from both devices, I can look into for you.
thanks
03-03-2012 11:09 PM
ASA 5505 Config
: Saved : ASA Version 8.4(3) ! hostname ciscoasa enable password Yn8Esq3NcXIHL35v encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 10.0.0.1 255.0.0.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! ftp mode passive object network obj_any subnet 0.0.0.0 0.0.0.0 object network Office subnet 192.168.1.0 255.255.255.0 object network Remote subnet 10.0.0.0 255.0.0.0 access-list outside_cryptomap extended permit ip object Remote object Office pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 nat (outside,outside) source static Remote Remote destination static Office Office no-proxy-arp route-lookup ! object network obj_any nat (inside,outside) dynamic interface timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 10.0.0.0 255.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 71.65.82.167 crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map outside_map interface outside crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 ipsec-over-tcp port 10000 crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 10.0.0.5-10.0.0.36 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientless group-policy GroupPolicy_71.65.82.167 internal group-policy GroupPolicy_71.65.82.167 attributes vpn-tunnel-protocol ikev2 tunnel-group 71.65.82.167 type ipsec-l2l tunnel-group 71.65.82.167 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:99c9772034aa8cbd746af5df96334d8f : end no asdm history enable
rvs 4000 - the blank box in local with red is where i enter my site b wan ip and in the remote is where i setup my site a wan.
03-04-2012 08:34 AM
Hi there,
Please follow this change on your ASA
Please remove the old nat and add the new nat as shown below.
nat (inside,outside) source static Remote Remote destination static Office Office no-proxy-arp route-lookup
Please remove the old config and add the new tunnel-group as shown below
tunnel-group 71.65.82.167 ipsec-attributes
ikev1 pre-shared-key hello-sir-your-key-goes-here
Please add a static route on the FW.
route outside 192.168.1.0 255.255.255.0 xxx.xxx.xxx.xxx X is your Firewall default-gateway.
Let me know, how this coming along.
thanks
Rizwan Rafeek
03-04-2012 09:21 AM
I ran into a problem here:
route outside 192.168.1.0 255.255.255.0 xxx.xxx.xxx.xxx X is your Firewall default-gateway.
Error:
ciscoasa(config)# route outside 192.168.1.0 255.255.255.0 10.0.0.1
%Invalid next hop address, it belongs to one of our interfaces
So I changed it to 10.0.0.0 and it accepted it... Here is the RVS 4000 Log with errors:
Mar 4 09:11:10 - [VPN Log]: shutting down
Mar 4 09:11:10 - [VPN Log]: forgetting secrets
Mar 4 09:11:10 - [VPN Log]: "1": deleting connection
Mar 4 09:11:10 - [VPN Log]: "1" #2: deleting state (STATE_MAIN_I1)
Mar 4 09:11:10 - [VPN Log]: ERROR: "1": pfkey write() of SADB_X_DELFLOW message 6 for flow int.0@0.0.0.0 failed. Errno 14: Bad address
Mar 4 09:11:10 - [VPN Log]: | 02 0f 00 0b 0e 00 00 00 06 00 00 00 11 26 00 00
Mar 4 09:11:10 - [VPN Log]: | 03 00 15 00 00 00 00 00 02 00 00 00 c0 a8 01 00
Mar 4 09:11:10 - [VPN Log]: | 00 00 00 00 84 0b 00 40 03 00 16 00 00 00 00 00
Mar 4 09:11:10 - [VPN Log]: | 02 00 00 00 0a 00 00 00 b0 25 01 00 25 00 00 00
Mar 4 09:11:10 - [VPN Log]: | 03 00 17 00 00 00 00 00 02 00 00 00 ff ff ff 00
Mar 4 09:11:10 - [VPN Log]: | 4e 53 4d 49 54 20 69 6e 03 00 18 00 00 00 00 00
Mar 4 09:11:10 - [VPN Log]: | 02 00 00 00 ff 00 00 00 20 65 78 70 00 00 00 00
Mar 4 09:11:11 - [VPN Log]: "1": unroute-client output: 0
Mar 4 09:11:11 - [VPN Log]: shutting down interface ipsec0/eth1 71.65.82.167:4500
Mar 4 09:11:11 - [VPN Log]: shutting down interface ipsec0/eth1 71.65.82.167:500
Mar 4 09:11:15 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
Mar 4 09:11:15 - [VPN Log]: @(#) built on May 17 2011:12:00:43:
Mar 4 09:11:15 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Mar 4 09:11:15 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Mar 4 09:11:15 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Mar 4 09:11:15 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 4 09:11:15 - [VPN Log]: starting up 1 cryptographic helpers
Mar 4 09:11:15 - [VPN Log]: started helper pid=10398 (fd:5)
Mar 4 09:11:15 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Mar 4 09:11:15 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Mar 4 09:11:15 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Mar 4 09:11:15 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Mar 4 09:11:15 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Mar 4 09:11:15 - [VPN Log]: Warning: empty directory
Mar 4 09:11:15 - [VPN Log]: added connection description "1"
Mar 4 09:11:15 - [VPN Log]: listening for IKE messages
Mar 4 09:11:15 - [VPN Log]: adding interface ipsec0/eth1 71.65.82.167:500
Mar 4 09:11:15 - [VPN Log]: adding interface ipsec0/eth1 71.65.82.167:4500
Mar 4 09:11:15 - [VPN Log]: loading secrets from "/etc/ipsec.secrets"
Mar 4 09:11:17 - [VPN Log]: "1": route-client output: 0
Mar 4 09:11:17 - [VPN Log]: "1" #1: initiating Main Mode
Mar 4 09:12:27 - [VPN Log]: "1" #1: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
Here is the show config from the ASA after I made the changes you suggested.:
: Saved : ASA Version 8.4(3) ! hostname ciscoasa enable password Yn8Esq3NcXIHL35v encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 10.0.0.1 255.0.0.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! ftp mode passive object network obj_any subnet 0.0.0.0 0.0.0.0 object network Office subnet 192.168.1.0 255.255.255.0 object network Remote subnet 10.0.0.0 255.0.0.0 access-list outside_cryptomap extended permit ip object Remote object Office pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 nat (outside,outside) source static Remote Remote destination static Office Office no-proxy-arp route-lookup nat (inside,outside) source static Remote Remote destination static Office Office no-proxy-arp route-lookup ! object network obj_any nat (inside,outside) dynamic interface route outside 192.168.1.0 255.255.255.0 10.0.0.0 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 10.0.0.0 255.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 71.65.82.167 crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map outside_map interface outside crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 ipsec-over-tcp port 10000 crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 10.0.0.5-10.0.0.36 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy GroupPolicy_71.65.82.167 internal group-policy GroupPolicy_71.65.82.167 attributes vpn-tunnel-protocol ikev1 ikev2 tunnel-group 71.65.82.167 type ipsec-l2l tunnel-group 71.65.82.167 general-attributes default-group-policy GroupPolicy_71.65.82.167 tunnel-group 71.65.82.167 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:9e86d6efd02e5d026a6dedd0a9eb4e11 : end no asdm history enable
Is a setting wrong on the RVS? Its just configured by the web etc, but it seems like the ASA is blocking it? Any way of giving me the commands to start from scratch to set this up from command line? Perhaps I should reset and start from scratch? I appreciate your time in helping me get this going.
03-04-2012 09:42 AM
Ok i mis-read and missed where you said to delete the old NAT and Config... I did so in the ASDM and saved it and then went to the command line and re-added NAT with no problem but when i goto re-create the tunnel-group i get this
ciscoasa(config)# tunnel-group 71.65.82.167 ipsec-attributes
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)#
?
03-04-2012 09:55 AM
You must create the tunnel-group first as shown below...
tunnel-group 71.65.82.167 type ipsec-l2l
and then
tunnel-group 71.65.82.167 ipsec-attributes
03-04-2012 09:51 AM
Please remove these highlighted lines.
tunnel-group 71.65.82.167 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
"Is a setting wrong on the RVS?" I have never worked on RVS devices, but it seem to be ok.
Its just configured by the web etc, but it seems like the ASA is blocking it? not really but configuration is not correct yet on ASA.
"Perhaps I should reset and start from scratch?" not needed.
initiate ping behind the ASA from a PC to remote segment available ip address.
Let me know the results.
thanks
03-04-2012 11:32 AM
The networks that I created "Office" Do they need to be 192.168.1.1/255.255.255.0 or 192.168.1.0/255.255.255.0
and Remote (Asa) 10.0.0.0/255.0.0.0 or 10.0.0.1/255.0.0.0
03-04-2012 11:57 AM
"The networks that I created "Office" Do they need to be 192.168.1.1/255.255.255.0 or 192.168.1.0/255.255.255.0
and Remote (Asa) 10.0.0.0/255.0.0.0 or 10.0.0.1/255.0.0.0"
I am aware of that.
Your naming convention does not match what is configured on the FW ASA.
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
object network Remote
subnet 10.0.0.0 255.0.0.0
Obviously 10.0.0.1 is local segment on mask /8
object network Office
subnet 192.168.1.0 255.255.255.0
object names are for human understanding but syntax is used to carry the config has to be correct.
Can you establish the tunnel?
thanks
03-04-2012 01:53 PM
I was not able to establish a tunnel, but I did a reset and changed some things up, and I believe I am much closer here...
I reset the ASA 5505 to an inside address of 192.168.1.1 / 255.255.255.0
Firewall Network Object: 329 (My Office) is 192.168.1.0 / 255.255.255.0
Firewall Network Object 64 (Remote Office) is 192.168.2.0 / 255.255.255.0
The remote office (RVS4000) is kicking this back now:
adding interface ipsec0/eth1 71.65.82.167:500
Mar 4 13:50:59 - [VPN Log]: adding interface ipsec0/eth1 71.65.82.167:4500
Mar 4 13:50:59 - [VPN Log]: loading secrets from "/etc/ipsec.secrets"
Mar 4 13:51:01 - [VPN Log]: "Remote": route-client output: 0
Mar 4 13:51:01 - [VPN Log]: "Remote" #1: initiating Main Mode
Mar 4 13:51:01 - [VPN Log]: packet from 174.102.52.148:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Mar 4 13:51:01 - [VPN Log]: packet from 174.102.52.148:500: received and ignored informational message
Mar 4 13:51:11 - [VPN Log]: packet from 174.102.52.148:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Mar 4 13:51:11 - [VPN Log]: packet from 174.102.52.148:500: received and ignored informational message
At the remote site with the RVS4000 I can ping the ASA and get a response. From my office I ping the remote office and I get no response.
Here is my new ASA Config:
: Saved : ASA Version 8.4(3) ! hostname ciscoasa enable password Yn8Esq3NcXIHL35v encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! ftp mode passive object network obj_any subnet 0.0.0.0 0.0.0.0 object network 329 subnet 192.168.1.0 255.255.255.0 object network 64 subnet 192.168.2.0 255.255.255.0 access-list outside_cryptomap extended permit ip object 329 object 64 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 nat (inside,outside) source static 329 329 destination static 64 64 no-proxy-arp route-lookup ! object network obj_any nat (inside,outside) dynamic interface timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 71.65.82.167 crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map interface outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.5-192.168.1.36 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy GroupPolicy_71.65.82.167 internal group-policy GroupPolicy_71.65.82.167 attributes vpn-tunnel-protocol ikev1 tunnel-group 71.65.82.167 type ipsec-l2l tunnel-group 71.65.82.167 general-attributes default-group-policy GroupPolicy_71.65.82.167 tunnel-group 71.65.82.167 ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:e4a02e8bfc561ad76dc0a8967e7c55b9 : end no asdm history enable
03-04-2012 02:52 PM
I disabled keep alives and the vpn tunnel is now connected however I cannot ping anything on the other side. from the 192.168.1.1 I can ping to 192.168.2.1 but from 192.168.2.1 i cannot ping to 192.168.1.1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide