Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
953
Views
5
Helpful
3
Replies

Cisco ASA 5505 IPSEC, one endpoint behind NAT device

RonaldU645
Level 1
Level 1

‎03-22-2015 07:08 AM - edited ‎02-21-2020 08:08 PM

We have two Cisco ASA 5505 devices.
Both are identical, however, one of them is behind a NAT device.
We are attempting to create an IPSEC network.

Site fg:
<ipsec subnet1> -- ASA 5505 (ASA1) -- <internet>
ASA1: 10.1.1.2/24 (inside), 212.xxx.xxx.xxx/28 (outside)

Site be:
<ipsec_subnet2> -- ASA 5505 (ASA3) -- Zywall USG (USG1) -- <internet>
ASA3: 10.1.4.1/24 (inside), 192.168.4.50/24 (outside)
USG1: 192.168.4.100/24 (inside), 195.xxx.xxx.xxx/30 (outside)
USG1: UDP port 500/4500 forwarded to 192.168.4.50

It seems that ASA1 stops the procedure (we verified this with debug crypto isakmp 254):
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, QM FSM error (P2 struct &0xd1111cd8, mess id 0x81111a78)!
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.4.50/255.255.255.255/0/0 local proxy 212.xxx.xxx.xxx/255.255.255.255/0/0 on interface outside
Group = 195.xxx.xxx.xxx, IP = 195.xxx.xxx.xxx, PHASE 1 COMPLETED

We verified / attempted the following:
- NAT excemption on both sides for IPSEC subnets
- Mirror image crypto maps
- Disabled IKE peer ID validation (yes, pre-shared key but we ran out of ideas)
- Toggled between static to dynamic crypto maps on ASA1
Most search results turned up results referring to the incorrect settings of the crypto map or the lack of NAT excemption.

Does anyone have any idea?

195.txt contains show running-config of ASA3
212.txt contains show running-config of ASA1
log.txt contains somewhat entire log snipper of ASA1

Labels:
Preview file
2 KB
Preview file
9 KB
Preview file
9 KB
0 Helpful
3 Replies 3

Abaji Rawool
Level 3
Level 3

‎03-23-2015 02:10 AM

Hi,

on 212 is see

tunnel-group 195.xxx.xxx.xxx type ipsec-l2l
tunnel-group 195.xxx.xxx.xxx ipsec-attributes
 pre-shared-key

When you define the peer with static tunnel-group entry ASA is looking for peer configuration in static crypto map. If the peer is behind static NAT configure a proper static crypto map with matching acl and proposals.

If the peer is behind dynamic nat refer this example :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html

 

Regards,

Abaji.

RonaldU645
Level 1
Level 1
In response to Abaji Rawool

‎03-23-2015 10:12 PM

Thank you for your answer Abaji Rawool,

 

Yeah, I was planning on reverting that and eventually did.

Reverting back to a static crypto map on fg-asa1 was the alternative situation.

 

However, we still had the exact same crypto map error.

 

You what fixed it? We disabled PFS.

If anybody knows, I'm eager to learn about that...

 

I'm going to look online why that is. It's just odd...

0 Helpful

RonaldU645
Level 1
Level 1
In response to RonaldU645

‎03-25-2015 08:37 AM

No one has a clue why disabling PFS fixed this?

Or am I missing something obvious?

0 Helpful
Customers Also Viewed These Support Documents