01-03-2016 02:47 AM
Hello,
To begin, I wish you a happy New Year !
I have to establish a VPN site to site with a customer but I don't have much knowledge.
I based on forums and tutos
I first created my objects. I put them in a group.
I created an access rule. MyNetwork to Customer group with IP & ICMP permit
I configured the site to site VPN with the wizard.
My inside network: 172.23.12.0/24
My Firewall: ASA 5510
IKEV1 :
AES-256
SHA-1
Group 2 (1024-bit)
Lifetime : 86400
IKEV2 :
AES-256
ESP-SHA
Lifetime : 28800
PFS : NO
I put the same key (the customer gave me) for IKEV1 & IKEV2
MyCustomer :
Encryption domain : 193.42.51.x/24, 195.118.x.x/24 & 172.17.x.x/12 (for the moment, i don’t use)
VPN Internet Address : 193.42.71.X
The customer gave me an IP (test) that allows the ping (ICMP): 172.29.0.20
I didn’t create an object for 172.29.0.20
When I am pinging from 172.23.12.2 to 172.29.0.20, I have a mistake in the log :
4 Jan 03 2016 09:10:39 106023 172.23.12.2 172.29.0.20 Deny icmp src inside:172.23.12.2 dst outside:172.29.0.20 (type 8, code 0) by access-group "inside_access_in" [0x0, 0x0]
Here is my setup :
object-group network MyNetwork
network-object host 172.23.12.2
network-object 172.23.12.0 255.255.255.0
object-group network Customer
network-object 193.42.51.X 255.255.255.0
network-object 195.118.X.X 255.255.255.0
access-list VPN-Customer extended permit tcp 172.23.12.0 255.255.255.0 object-group DM_INLINE_NETWORK_18
nat (inside,outside) source static MyNetwork MyNetwork destination static Customer Customer route-lookup
!
route inside 172.23.12.0 255.255.255.0 10.10.8.2 1
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 5 match address VPN-Customer
crypto map outside_map 5 set peer 193.42.71.X
crypto map outside_map 5 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 5 set ikev2 ipsec-proposal AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 193.42.71.X type ipsec-l2l
tunnel-group 193.42.71.X general-attributes
default-group-policy GroupPolicy1
tunnel-group 193.42.71.X ipsec-attributes
ikev1 pre-shared-key ****
ikev2 remote-authentication pre-shared-key ****
ikev2 local-authentication pre-shared-key ****
Can you help me please ?
Thank you very much.
Nicolas
01-04-2016 01:56 PM
Hi,
I think you have a few issues.
Firstly, it’s likely you have an access list applied on the inside interface named ‘inside_access_in’. Traffic will need to be permitted here i.e. access-list inside_access_in extended permit icmp object-group INSIDE-NETWORKS object-group DESTINATION-NETWORKS - this is what the log message indicates.
Seondly the VPN access-list and NAT differ. The access list VPN-customer identifies the interesting traffic for encryption, you’re permitting 172.23.12.0/24 (your network) to an object-group DM_INLINE_NETWORK_18? What’s that?
You have setup identity NAT as NAT is processed before VPN. The Customer object is configured as:
object-group network Customer
network-object 193.42.51.X 255.255.255.0
network-object 195.118.X.X 255.255.255.0
your ICMP request is to 172.29.0.20 not included above. The log indicates it’s denied by an ACL - inside_access_in but even if permitted the identity NAT will be ignored and if you PAT to your outside interface you may find your source address changes and no longer will be picked up by the access-list VPN-customer.
The remote end will need the same ACLs in reverse to tunnel the interesting traffic.
Joel.
01-06-2016 05:59 AM
Hi Joel,
Thank you for your answer.
In ACL Manager (ASDM), I see a ACL Name : “inside_access_in”
Now I put my rule in “Inside_access_in” :
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_6 172.23.12.0 255.255.255.0 object-group Network_Customer
For your information :
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
Network_Customer : 193.42.51.x/24, 195.118.x.x/24 & 172.29.0.20/32
Correct 172.29.0.20/32 in “Network_Customer” ?
The old rule was in a ACL Name “VPN-Customer” :
access-list VPN-Customer extended permit tcp 172.23.12.0 255.255.255.0 object-group DM_INLINE_NETWORK_18
Now :
In Acces Rules (ASDM -> Firewall) : I see the same rule “MyNetwork to Network_Customer with permit IP, ICMP in INSIDE interface.
In NAT Rules (ADSM -> Firewall) : I don't see rule. I have to create a rule ? For 172.29.0.20 ?
In Connection Profiles (ASDM -> Site to site VPN) : I see in Remote Network "193.42.51.x / 24 & 195.118.xx / 24". Correct ?
Thank you for your help.
Nicolas
01-06-2016 12:27 PM
Hi Nicholas,
Would you be able to copy the relevant config again as you did in the first post? With the necessary object-groups?
Joel
01-07-2016 03:40 AM
Hi Joel,
Here is :
object network 172.29.0.20
host 172.29.0.20
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol group-ip-icmp
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object tcp destination eq 3389
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group network MyNetwork
network-object host 172.23.12.2
network-object 172.23.12.0 255.255.255.0
object-group network Network_Customer
network-object 193.42.51.0 255.255.255.0
network-object 195.118.2.0 255.255.255.0
network-object object 172.29.0.20
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_18
network-object 193.42.51.0 255.255.255.0
network-object 195.118.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_20
network-object 193.42.51.0 255.255.255.0
network-object 195.118.2.0 255.255.255.0
network-object object 172.29.0.20
access-list outside_cryptomap extended permit ip 172.23.12.0 255.255.255.0 object-group DM_INLINE_NETWORK_18
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_6 172.23.12.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
nat (inside,outside) source static MyNetwork MyNetwork destination static Network_Customer Network_Customer route-lookup
!
route inside 172.23.12.0 255.255.255.0 10.10.8.2 1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 193.42.253.131
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_193.42.71.X internal
group-policy GroupPolicy_193.42.71.X attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 193.42.71.X type ipsec-l2l
tunnel-group 193.42.71.X general-attributes
default-group-policy GroupPolicy_193.42.71.X
tunnel-group 193.42.71.X ipsec-attributes
ikev1 pre-shared-key xxxxx
ikev2 remote-authentication pre-shared-key xxxxx
ikev2 local-authentication pre-shared-key xxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
policy-map type inspect esmtp ESMTP_allow_TLS
description Allow TLS from SMTP server
parameters
no mask-banner
allow-tls
match sender-address length gt 320
log
match MIME filename length gt 255
log
match cmd line length gt 512
log
match cmd RCPT count gt 100
log
match body line length gt 998
log
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:25aefb6cb3129178d73611d7845ds4f
: end
Thank you.
Nicolas
01-07-2016 12:02 PM
Hi Nicolas,
You identifying the interesting traffic using the ACL outside_cryptomap. Your source is you network and the destination the object-group DM_INLINE_NETWORK_18
access-list outside_cryptomap extended permit ip 172.23.12.0 255.255.255.0 object-group DM_INLINE_NETWORK_18
The DM_INLINE_NETWORK_18 object-group is missing the subnet/host you're trying to ping i.e 172.29.0.20. Without this the ASA will not know this host is to be encrypted for this L2L.
Joel
01-07-2016 12:27 PM
Hi Joel,
Here is :
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_18
network-object 193.42.51.0 255.255.255.0
network-object 195.118.2.0 255.255.255.0
network-object object 172.29.0.20
object-group network DM_INLINE_NETWORK_20
network-object 193.42.51.0 255.255.255.0
network-object 195.118.2.0 255.255.255.0
network-object object 172.29.0.20
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp
access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_7 172.23.12.0 255.255.255.0 object-group DM_INLINE_NETWORK_18
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_6 172.23.12.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
Ok for you ?
I have to add a rule in NAT Rules ?
Thank you.
Nicolas
01-07-2016 12:53 PM
Hi Nicholas,
You already have the identity NAT rule.
nat (inside,outside) source static MyNetwork MyNetwork destination static Network_Customer Network_Customer
Have you tried a initiating traffic since the changes?
Try packet-tracer to make sure no ACL or NAT is causing issues.
If the tunnel is not working you will need to run debug.
01-07-2016 01:45 PM
Joel,
I am pinging from 172.23.12.2 to 172.29.0.20 but it's not responding
Now in the log :
6 Jan 07 2016 21:21:08 302020 172.23.12.2 512 172.29.0.20 0 Built outbound ICMP connection for faddr 172.29.0.20/0 gaddr 194.154.208.158/512 laddr 172.23.12.2/512
I don't see a rule in NAT Rules (ASDM).
In Monitoring -> VPN -> Sessions -> Filter by "IPSEC Site-to-site" :
I don't see anything
An idea ?
01-07-2016 01:58 PM
Lets try the following:
packet-tracer input inside icmp 172.23.12.2 8 0 172.29.0.20 detailed. Copy the output for me.
Can you also do a show run nat and copy the results?
You do have one NAT rule you've copied which is identity NAT but previously known as NAT0. NAT is processed before crypto and you don't want in your situation NAT/PAT.
nat (inside,outside) source static MyNetwork MyNetwork destination static Network_Customer Network_Customer route-lookup
Thanks
Joel.
01-07-2016 02:35 PM
When i do a packet tracer :
step 2 of 6 Ingress Interface : INSIDE
source : 172.23.12.2 Destination : 172.29.0.20 Protocol : ICMP
step 3 of 6 ingress interface : OUTSIDE
source : 172.23.12.2 Destination : 172.29.0.20 Protocol : ICMP
Result: 172.23.12.2 -> 172.29.0.20 ICMP : echo request
For show run nat :
nat (inside,outside) source static My_Network My_Network destination static Network_Customer Network_Customer route-lookup
01-08-2016 05:03 AM
Hi Nicolas,
Clearly in different time zones. When you do a packet-tracer it should output more information such as below..
WXFWDEV002# packet-tracer input dev-network icmp 172.31.89.10 8 0 172.31.84.10
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 corporate-network
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dev-network-in in interface dev-network
access-list dev-network-in extended permit icmp object-group WW-Net-Dev any log
object-group network WW-Net-Dev
network-object 172.31.89.0 255.255.255.0
Additional Information:
etc
Can I have that information to see if your NAT is being hit? I will need the full oputput. I don't use ASDM often, are you able to SSH to the device and run packet-tracer?
Joel
01-09-2016 03:18 PM
Hi Joel,
Now it's working :-)
I deleted all "object-group network" and I created "Object network".
I created a nonat rule (in ASDM > Nat Rule) : 172.23.12.2 > 172.29.0.20
I seem to see command in CLI and not apparaise in ASDM.
Example : nat (inside,outside) source static MyNetwork MyNetwork destination static Network_Customer Network_Customer route-lookup
I deleted "object-group network" in ASDM and I see them in CLI again.
Command to delete object-group : clear configure object-group network "name" ???
Here is the setup :
object network 172.29.0.20
host 172.29.0.20
object network 172.23.12.0
subnet 172.23.12.0 255.255.255.0
object network 172.23.12.2
host 172.23.12.2
object network 193.42.51.0
subnet 193.42.51.0 255.255.255.0
object network 195.118.2.0
subnet 195.118.2.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol group-ip-icmp
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_18
network-object object 172.29.0.20
network-object object 193.42.51.0
network-object object 195.118.2.0
object-group network DM_INLINE_NETWORK_20
network-object object 172.29.0.20
network-object object 193.42.51.0
network-object object 195.118.2.0
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp
access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_7 object 172.23.12.2 object-group DM_INLINE_NETWORK_18
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_6 object 172.23.12.2 object-group DM_INLINE_NETWORK_20
nat (inside,outside) source static 172.23.12.2 172.23.12.2 destination static 172.29.0.20 172.29.0.20
nat (inside,outside) source static MyNetwork MyNetwork destination static Network_Customer Network_Customer route-lookup
route inside 172.23.12.0 255.255.255.0 10.10.8.2 1
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 193.42.253.131
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 193.42.71.X type ipsec-l2l
tunnel-group 193.42.71.X general-attributes
default-group-policy GroupPolicy1
tunnel-group 193.42.71.X ipsec-attributes
ikev1 pre-shared-key XXXX
ikev2 remote-authentication pre-shared-key XXXX
ikev2 local-authentication pre-shared-key XXXX
ciscoasa# packet-tracer input outside icmp 172.23.12.2 8 0 172.29.0.20
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group icmp_out_in in interface outside
access-list icmp_out_in extended deny ip any any
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Strange the "drop", no ???
I would like to thank you.
Nicolas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
debug crypto isakmp
debug crypto ipsec
Remember to undebug. Need to figure out if you're attempting to establish the tunnel.
Joel