cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1199
Views
0
Helpful
3
Replies

ASA Ipsec VPN problem

welln
Level 1
Level 1

I'm trying to set up remote access IPsec VPN on a pair of ASA 5540 without much success. I've tried for a couple of days without success and would appreciate some help.

I can connect with a client on the outside, and when I try to ping something on the inside I can see the ping requests reach the target but the answers don't come back to the VPN client. I've tried with different NAT rules without success.

Current configuration is attached. Any help is appreciated!

Cheers,

Fredrik

3 Replies 3

welln
Level 1
Level 1

ASA1(config)# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname ASA1
domain-name ali.local
enable password QcL/wtKVQ8cvSP23 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Outside
nameif Outside
security-level 0
ip address 10.0.84.251 255.255.255.0 standby 10.0.84.250
!
interface GigabitEthernet0/1
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/2
nameif Inside
security-level 100
ip address 10.33.0.248 255.255.255.0 standby 10.33.0.254
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.34.0.248 255.255.255.0 standby 10.34.0.254
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name ali.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Servers standard permit 10.33.0.0 255.255.255.0
access-list Servers standard permit 10.34.0.0 255.255.255.0
access-list Servers standard permit 10.35.0.0 255.255.224.0
access-list Servers standard permit 10.36.0.0 255.255.255.0
access-list Broadcast standard permit host 255.255.255.255
access-list Inside_access_in extended permit ip 10.33.0.0 255.255.255.0 10.36.0.0 255.255.255.0
access-list Inside_access_in extended permit ip 10.36.0.0 255.255.255.0 10.33.0.0 255.255.255.0
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any any
access-list management_access_in extended permit ip 10.36.0.0 255.255.255.0 10.34.0.0 255.255.255.0
access-list management_access_in extended permit ip 10.34.0.0 255.255.255.0 10.36.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.33.0.0 255.255.255.0 10.36.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.34.0.0 255.255.255.0 10.36.0.0 255.255.255.0
access-list Outside_access_out extended permit ip any any
access-list nat0-outbound extended permit ip 10.33.0.0 255.255.255.0 10.36.0.0 255.255.255.0
access-list nat0-outbound extended permit ip 10.34.0.0 255.255.255.0 10.36.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool Support 10.36.0.1-10.36.0.200 mask 255.255.255.0
ip local pool SOT-IVTGroup 10.35.0.1-10.35.31.254 mask 255.255.240.0
failover
failover lan unit primary
failover lan interface cluster GigabitEthernet0/1
failover link cluster GigabitEthernet0/1
failover interface ip cluster 10.0.0.1 255.255.255.0 standby 10.0.0.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any echo Outside
icmp permit any echo-reply Outside
icmp permit any Inside
icmp permit any echo-reply Inside
icmp permit any echo Inside
icmp permit any management
icmp permit any echo management
icmp permit any echo-reply management
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list nat0-outbound
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
access-group Inside_access_in in interface Inside
access-group management_access_in in interface management
route Outside 0.0.0.0 0.0.0.0 10.0.84.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.34.0.0 255.255.255.0 management
http 192.168.40.0 255.255.255.0 Outside
http 192.168.42.0 255.255.255.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set transform-set ESP-AES-256-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 2 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 2 set transform-set ESP-AES-128-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 2 set nat-t-disable
crypto map public_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface Outside
crypto isakmp identity hostname
crypto isakmp enable Outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Support internal
group-policy Support attributes
vpn-idle-timeout 120
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Servers
tunnel-group Support type remote-access
tunnel-group Support general-attributes
address-pool Support
default-group-policy Support
tunnel-group Support ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp ikev1-user-authentication none
!
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
!
prompt hostname context
Cryptochecksum:44205c88eee938637852756105cf2310
: end
ASA1(config)#

welln
Level 1
Level 1

With this configuration i got an "IPSEC spoof detected" on the packet tracer.

/Fredrik

Hi Fredrik,

1. Nat exemption needs to be rewritten as below:

access-list nat0-outbound extended permit ip 10.33.0.0 255.255.255.0 10.36.0.0 255.255.255.0
access-list nat0-outbound extended permit ip 10.34.0.0 255.255.255.0 10.36.0.0 255.255.255.0

nat (Inside) 0 access-list nat0-outbound

access-list nat0-management-outbound extended permit ip 10.34.0.0 255.255.255.0 10.36.0.0 255.255.255.0

nat management) 0 access-list nat0-management-outbound

2. You might want to rewriet the access-lists applied on inside and management interfaces.

3. Packet-tracer will always drop the packet if vpn-traffic is traced from vpn-termination interface to other high-security interface, with "ipsec spoof detected" reason. that implies that the vpn connection is fine.

4. try generating packet-tracer sourced from high-security interface.

5. try applying capture on inside interface and see if you see both way traffic.

6. enable "management-access inside" on ASA, and see if you are able to ping ASAs inside interface ip address.

HTH

regards,

Praveen