IPSEC between ASA and Router

b.paik · ‎12-24-2012

Hi There,

I am having a weird issue creating a tunnel between ASA and Cisco router. The both devices are behind NAT device with all the correct Port forwardings but for some reason they are not establishing a VPN connection.

Any suggestion / help is appreaciated. Thanks in advance.

---Router Config---

Building configuration...

Current configuration : 3784 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname VPN_Router

!

boot-start-marker

boot-end-marker

!

logging buffered 52000 debugging

!

aaa new-model

!

aaa session-id common

no ip cef

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

crypto pki trustpoint TP-self-signed-2050611130

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2050611130

revocation-check none

rsakeypair TP-self-signed-2050611130

!

crypto pki certificate chain TP-self-signed-2050611130

certificate self-signed 01

30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32303530 36313131 3330301E 170D3132 31323231 32303031

30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30353036

31313133 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100A002 84283B6A C3CD910A 5E17865A 22C3A93D 4207D6E9 C18AF47F E217FD14

6EA8B43B CA762D78 400412F0 21CA4510 60614A2A 859A2C9F 8FA2E435 A65D354A

C145FAAF 3E2B8ED9 8221AD32 C99DE542 212762AA 2594708C 4DF7DAEA 240F4C65

A780A7B6 A3302962 9FF08EA6 B70AC3EC 7935716A 225BA2A2 7E13C24E 5FBB9F42

E2750203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603

551D1104 0E300C82 0A56504E 5F526F75 74657230 1F060355 1D230418 30168014

22F277B3 96CF5C93 F8ABB16E 595AA22F DA653D18 301D0603 551D0E04 16041422

F277B396 CF5C93F8 ABB16E59 5AA22FDA 653D1830 0D06092A 864886F7 0D010104

05000381 810063CB 96D23E60 DABD9E16 17ED39E5 A040B82E 7377FDB8 662223A6

1EA0807A C79520C4 9DBC1B2C 58E7F9E1 B9D94331 E202C58A 4E05F326 83B59F58

AF1E333D 1B4E025D B81E9FDA 29883217 6971E9FC BA74A6EE 9BE328A2 338138BD

301F8D67 3BD76E0A 26EA4676 169F789B 675C3C6A BFD69AD0 E490C354 1BC7047A

E157B5C8 A5FC

quit

!

controller DSL 0/0/0

line-term cpe

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key ******* address 203.109.197.XXX no-xauth

!

crypto ipsec transform-set rtpset esp-3des esp-sha-hmac

!

crypto map rtp 1 ipsec-isakmp

set peer 203.109.197.XXX

set security-association lifetime seconds 28800

set transform-set rtpset

match address 115

!

interface FastEthernet0/0

ip address 10.0.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.100.253 255.255.255.0

ip nat outside

ip virtual-reassembly

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

crypto map rtp

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.100.254

!

ip http server

no ip http secure-server

ip nat inside source route-map nonat interface FastEthernet0/1 overload

ip nat inside source static tcp 10.0.1.100 7777 interface FastEthernet0/1 7777

ip nat inside source static tcp 10.0.1.100 8888 interface FastEthernet0/1 8888

!

access-list 10 permit 203.109.197.XXX log

access-list 101 remark NAT Traffic

access-list 101 deny ip 10.0.1.0 0.0.0.255 172.31.1.0 0.0.0.255

access-list 101 permit ip 10.0.1.0 0.0.0.255 any

access-list 115 permit ip 10.0.1.0 0.0.0.255 172.31.1.0 0.0.0.255

access-list 115 deny ip 10.0.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 101

!

control-plane

!

line con 0

line aux 0

line vty 0 4

access-class 10 in

privilege level 15

!

scheduler allocate 20000 1000

end

---//Router Config End---

---ASA Config---

ASA Version 8.3(2)

!

hostname CKFWAKL01

domain-name none.com

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.254.253.254 255.255.255.252

!

interface Vlan100

nameif outside

security-level 0

ip address 10.254.254.253 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 100

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name ciscokid.co.nz

object network Internal

subnet 172.16.0.0 255.240.0.0

object network NETWORK_OBJ_10.0.1.0_24

subnet 10.0.1.0 255.255.255.0

object network NETWORK_OBJ_172.31.1.0_24

subnet 172.31.1.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside_1_cryptomap extended permit ip 172.31.1.0 255.255.255.0 10.0.1.0 255.255.255.0

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_172.31.1.0_24 NETWORK_OBJ_172.31.1.0_24 destination static NETWORK_OBJ_10.0.1.0_24 NETWORK_OBJ_10.0.1.0_24

!

object network Internal

nat (any,outside) dynamic interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.254.254.254 1

route inside 172.16.0.0 255.240.0.0 10.254.253.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable 8443

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 203.109.197.YYY

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set phase1-mode aggressive

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 203.109.197.YYY type ipsec-l2l

tunnel-group 203.109.197.YYY ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d0751c2cc360dfc9b7ae54635dd38585

: end

[OK]

---//ASA Config End---

Debug on the router:

*Dec 24 23:16:33.403: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...

*Dec 24 23:16:33.403: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Dec 24 23:16:33.403: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

*Dec 24 23:16:33.403: ISAKMP:(0:0:N/A:0): sending packet to 203.109.197.XXX my_port 500 peer_port 500 (I) MM_NO_STATE

*Dec 24 23:16:34.667: del_node src 192.168.100.253:500 dst 203.109.197.XXX:500 fvrf 0x0, ivrf 0x0

*Dec 24 23:16:34.667: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*Dec 24 23:16:34.671: ISAKMP:(0:0:N/A:0):deleting SA reason "Death by tree-walk" state (I) MM_NO_STATE (peer 203.109.197.XXX)

*Dec 24 23:16:34.671: del_node src 192.168.100.253:500 dst 203.109.197.XXX:500 fvrf 0x0, ivrf 0x0

*Dec 24 23:16:34.671: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*Dec 24 23:16:34.671: ISAKMP:(0:0:N/A:0):deleting SA reason "Death by tree-walk" state (I) MM_NO_STATE (peer 203.109.197.XXX)

*Dec 24 23:16:34.671: ISAKMP:(0:0:N/A:0):deleting node -221444746 error FALSE reason "IKE deleted"

*Dec 24 23:16:34.671: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Dec 24 23:16:34.671: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

*Dec 24 23:16:39.395: ISAKMP: local port 500, remote port 500

*Dec 24 23:16:39.395: ISAKMP: set new node 0 to QM_IDLE

*Dec 24 23:16:39.395: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 63D3F414

*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 203.109.197.XXX

*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1

*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

*Dec 24 23:16:39.395: ISAKMP:(0:0:N/A:0): sending packet to 203.109.197.XXX my_port 500 peer_port 500 (I) MM_NO_STATE

*Dec 24 23:16:49.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...

*Dec 24 23:16:49.395: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Dec 24 23:16:49.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

*Dec 24 23:16:49.395: ISAKMP:(0:0:N/A:0): sending packet to 203.109.197.XXX my_port 500 peer_port 500 (I) MM_NO_STATE

*Dec 24 23:16:59.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...

*Dec 24 23:16:59.395: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Dec 24 23:16:59.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

*Dec 24 23:16:59.395: ISAKMP:(0:0:N/A:0): sending packet to 203.109.197.XXX my_port 500 peer_port 500 (I) MM_NO_STATE

*Dec 24 23:17:09.391: ISAKMP: set new node 0 to QM_IDLE

*Dec 24 23:17:09.391: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 192.168.100.253, remote 203.109.197.XXX)

*Dec 24 23:17:09.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...

*Dec 24 23:17:09.395: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Dec 24 23:17:09.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

*Dec 24 23:17:09.395: ISAKMP:(0:0:N/A:0): sending packet to 203.109.197.XXX my_port 500 peer_port 500 (I) MM_NO_STATE

*Dec 24 23:17:13.319: ISAKMP:(0:0:N/A:0):purging node -2117718654

*Dec 24 23:17:13.319: ISAKMP:(0:0:N/A:0):purging node -908425583

*Dec 24 23:17:19.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...

*Dec 24 23:17:19.395: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Dec 24 23:17:19.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

*Dec 24 23:17:19.395: ISAKMP:(0:0:N/A:0): sending packet to 203.109.197.XXX my_port 500 peer_port 500 (I) MM_NO_STATE

*Dec 24 23:17:23.319: ISAKMP:(0:0:N/A:0):purging SA., sa=63396DC8, delme=63396DC8

*Dec 24 23:17:24.671: ISAKMP:(0:0:N/A:0):purging node -221444746

*Dec 24 23:17:29.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...

*Dec 24 23:17:29.395: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Dec 24 23:17:29.395: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE

*Dec 24 23:17:29.395: ISAKMP:(0:0:N/A:0): sending packet to 203.109.197.XXX my_port 500 peer_port 500 (I) MM_NO_STATE

*Dec 24 23:17:34.671: ISAKMP:(0:0:N/A:0):purging SA., sa=63D4B490, delme=63D4B490

*Dec 24 23:17:39.391: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*Dec 24 23:17:39.391: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 203.109.197.XXX)

*Dec 24 23:17:39.391: ISAKMP:(0:0:N/A:0):deleting node -856967187 error FALSE reason "IKE deleted"

*Dec 24 23:17:39.391: ISAKMP:(0:0:N/A:0):deleting node -163150498 error FALSE reason "IKE deleted"

*Dec 24 23:17:39.391: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Dec 24 23:17:39.391: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

Thanks again...

Pawel Cecot · ‎12-25-2012

Hi,

- The configuration looks fine.

- We can clearly see from the debug that MM1 message is beeing retransmitted so that packet is somewhere blocked/dropped.

Some questions which might help you:

- Do you have udp/500 and udp/4500 allowed along the path in both directions?

- Is it a static - bi-directional NAT?

- Do we receive something on the ASA?

I suggest to:

- collect debugs on the ASA

- collect captures on the ASA to verify if you receive the MM1 packet from the IOS (capture ISAKMP type isakmp interface outside)

Pawel

Jiri Zvolanek · ‎12-25-2012

Hello.

I think you have problem in ASA configuration. Here´s the reason.

"access-group outside_access_in in interface outside"

You´re applying ACL outside_access_in to your outside interface but there is no such ACL present in your ASA cfg so I think packets are droped.

Try to permit you VPN traffic or Public IP of the router at outside ACL in the ASA. (not sure which one will work for u)

Pawel Cecot · ‎12-25-2012

Jiri Zvolanek wrote:

Hello.

I think you have problem in ASA configuration. Here´s the reason.

"access-group outside_access_in in interface outside"

You´re applying ACL outside_access_in to your outside interface but there is no such ACL present in your ASA cfg so I think packets are droped.

Try to permit you VPN traffic or Public IP of the router at outside ACL in the ASA. (not sure which one will work for u)

As long as there is the default 'sysopt connection permit-vpn' the vpn traffic will be allowed regardless of the inbound ACL.

Either the ASA is not receiving the MM1 or after the ASA is replying with MM2 it gets dropped somewhere. All in all I suggest to collect captures or debugs.

Pawel