Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3637
Views
0
Helpful
3
Replies

ASA Policy NAT with Palo Alto firewall

evoight
Level 1
Level 1

‎10-10-2011 01:15 PM

I am trying to setup an originate-only vpn tunnel with a Palo Alto firewall.  The remote admin has created a private ip for me to setup an acl and pass traffic.  I have setup the asa correctly (I think) yet, I am still getting this in the asa log and the tunnel will not pass traffic

3Oct 10 201111:42:12713902Group = 205.x.182.4, IP = 205.168.182.4, Removing peer from correlator table failed, no match!
1Oct 10 201111:42:12713900Group = 205.x.182.4, IP = 205.x.182.4, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
3Oct 10 201111:42:12713902Group = 205.x.182.4, IP = 205.168.182.4, QM FSM error (P2 struct &0xae3e95f0, mess id 0x3a35745e)!

Here are the code snips...

access-list ll_polnat extended permit ip 192.168.0.0 255.255.254.0 host 205.x.182.71

access-list ll_cryptomap extended permit ip host 192.168.74.101 host 205.x.182.71

global (Outside) 2 192.168.74.101

nat (Inside) 2 access-list ll_polnat

crypto map Outside_map 4 match address ll_cryptomap

crypto map Outside_map 4 set connection-type originate-only

crypto map Outside_map 4 set peer 205.x.182.4

crypto map Outside_map 4 set transform-set ESP-AES-256-SHA

tunnel-group 205.x.182.4 type ipsec-l2l

tunnel-group 205.x.182.4 ipsec-attributes

pre-shared-key *

The remote admin says that his logs indicate the asa is trying to setup traffic to pass between 66.x.41.62 (asa outside) and 205.x.182.4 (paloalto outside).  The traffic is supposed to flow between 192.168.74.101 (asa side) and 205.x.182.71.  Any thoughts would be appreciated.

Eric

Labels:
0 Helpful
3 Replies 3

Mohammad Alhyari
Cisco Employee
Cisco Employee

‎10-10-2011 02:19 PM

hi Eric ,

the ASA should negotiate what is in the crypto access-list , which is in this case :

host 192.168.74.101 host 205.x.182.71

do the following debugs on the ASA and intiate traffic :

debug crypto ipsec 125

you should be able to see which proxies the ASA suggest to the other side .

HTH

MOhammad.

0 Helpful

evoight
Level 1
Level 1
In response to Mohammad Alhyari

‎10-10-2011 06:04 PM

acl_compute_md5_acl_name_hash(): Hash Input: OO_temp_Outside_map4, Hash Output: 0x8036393d

Hash Input: OO_temp_Outside_map4 extended permit 0 host 66.x.41.62 host 205.x.182.4, Hash Output: 0xd81f0647
IPSEC(crypto_map_check): crypto map Outside_map 1 does not hole match for ACL Outside_1_cryptomap.

IPSEC(crypto_map_check): crypto map Outside_map 2 does not hole match for ACL Outside_2_cryptomap.

IPSEC(crypto_map_check): crypto map Outside_map 3 does not hole match for ACL Outside_3_cryptomap.

IPSEC(crypto_map_check): crypto map Outside_map 3 does not hole match for ACL OO_temp_Outside_map3.

IPSEC(crypto_map_check): crypto map Outside_map 4 is dormant.

IPSEC: New embryonic SA created @ 0xAE84EEE0,
    SCB: 0xAE7AF518,
    Direction: inbound
    SPI      : 0xB448BD6C
    Session ID: 0x029AE000
    VPIF num  : 0x00000001
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds

This is what I get.  Crypto map 4 is the one in question.  Not sure what this is telling me other than the crypto map 4 is not being used.

0 Helpful

evoight
Level 1
Level 1
In response to evoight

‎10-11-2011 12:05 PM

Looks like the nat is not working.  Packet trace shows traffic going through the policy nat pool but. sh xlate does not have an item for global (outside) 2

0 Helpful
Customers Also Viewed These Support Documents