cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1278
Views
2
Helpful
7
Replies

IPSEC tunnel won't attempt connection

k.langley
Level 1
Level 1

I have a 5510 and a 5505 that I'm attempting to configure a simple VPN tunnel over. I have tried step by step configurations form CISCO ASA configs, as well as every source I can find. I have walked throught the config with IOS commands as well as Wizards. All my packets are dropped at the the inside or outside interface.

When I show SH ISAKMP command all I get are 0's straight down. Any ideas how I can troubleshot this

1 Accepted Solution

Accepted Solutions

Try the following on the 5505 (assuming your object groups are consistent with the example in the configs)

access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.13.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_192.168.5.0_24  NETWORK_OBJ_192.168.5.0_24 destination static  NETWORK_OBJ_192.168.13.0_24 NETWORK_OBJ_192.168.13.0_24

Try this on the ASA 5510

access-list outside_1_cryptomap extended permit ip 192.168.13.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_192.168.13.0_24  NETWORK_OBJ_192.168.13.0_24 destination static  NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

7 Replies 7

k.langley
Level 1
Level 1

here are the configs

5510 config

ASA Version 8.3(1)

!

hostname ciscoasa

enable password RLPMUQ26KL4blgFN encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 132.172.105.133 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.13.100 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

object network NETWORK_OBJ_192.168.13.0_24

subnet 192.168.13.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.13.0 255.255.255.0 192.168.13.0 255.255.255.0

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_192.168.13.0_24 NETWORK_OBJ_192.168.13.0_24 destination static NETWORK_OBJ_192.168.13.0_24 NETWORK_OBJ_192.168.13.0_24

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 132.172.105.132

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 132.172.105.132 type ipsec-l2l

tunnel-group 132.172.105.132 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e829ea360581230097c8204bc696d005

: end

5505 config

ASA Version 8.3(1)

!

hostname ciscoasa

enable password RLPMUQ26KL4blgFN encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.13.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 132.172.105.132 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.13.0_24

subnet 192.168.13.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.13.0 255.255.255.0 192.168.13.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_192.168.13.0_24 NETWORK_OBJ_192.168.13.0_24 destination static NETWORK_OBJ_192.168.13.0_24 NETWORK_OBJ_192.168.13.0_24

!

object network obj_any

nat (inside,outside) dynamic interface

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.13.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 132.172.105.133

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 132.172.105.133 type ipsec-l2l

tunnel-group 132.172.105.133 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:6ac1a0875e433c7a736e53f7fdbe27c5

: end

Are these overlapping networks? If so then you may need to NAT one of the networks using policy NAT in order to get this to work. The document is a little dated with the nat statements but keep that in mind and see if this is what you are looking for.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

thanks,

Tarik Admani
*Please rate helpful posts*

I had different networks on the inside ..13.0/24 and a..5.0/24 previously. Those didn't work either. It appears from the config guide that if my outside interfaces are on an overlapping network which they will be, then I will need to nat the outside. Do you agree?

No the outside network is a simulation of a link on the same network. The networks that are being tunnelled from site A to site B are both 192.168.1.0/24 networks. Based on you configuration you have the same networks being protected.

Can you please label which networks you want to protect and tunnel and which ASA they current sit behind. Also i didnt see any routes configured on the ASA either.

Thanks,

Tarik Admani
*Please rate helpful posts*

Sorry. In my attempt to simlify I made it more confusing.

My original config which I didn't post was as follows:

ASA 5505

Inside 192.168.5.0/24

outside 132.172.105.132/26

The route I had was 0.0.0.0 0.0.0.0 132.172.105.133

ASA 5510

Inside 192.168.13.0/24

Outside 132.172.105.133/26

The route I had was 0.0.0.0 0.0.0.0 132.172.105.132

Try the following on the 5505 (assuming your object groups are consistent with the example in the configs)

access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.13.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_192.168.5.0_24  NETWORK_OBJ_192.168.5.0_24 destination static  NETWORK_OBJ_192.168.13.0_24 NETWORK_OBJ_192.168.13.0_24

Try this on the ASA 5510

access-list outside_1_cryptomap extended permit ip 192.168.13.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_192.168.13.0_24  NETWORK_OBJ_192.168.13.0_24 destination static  NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24

Thanks,

Tarik Admani
*Please rate helpful posts*

That didn't do it either. I tried a few other things after that. I suspect I have a bad device or IOS. The Organization I work for let thier Cisco support expire. It is almost back so I can get a fresh IOS. I have some other boxes I can test with. I got these boxes atfer they fired another tech who worked on these for 14 month and never got them working. I thank you for assistance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: