12-14-2010 01:39 AM
I'm trying to configure a Site-to-Site VPN in a Cisco ASA 5505 firewall which is behind an ISP router (Cisco 800 Series) configured in routing mode (not bridging) and with a static nat of all the ports to the firewall (avoiding bridging mode of the router).
INSIDE --> FIREWALL (VPN) --> ISP ROUTER -> .... internet ... -> REMOTE PEER (VPN)
inside: 192.168.12.x/24
firewall inside ip: 192.168.12.1/24
firewall outside ip: 192.168.1.11/24
isp router inside ip: 192.168.1.1/24
isp router outside ip: xxxxxxxxx/0
...
remote peer outside: xxxxxxxxxx/0
remote peer lan: 192.168.0.x/24
Remote peer is NOT behind a Nat and accepts incoming connections from ISP Router public address
The tunnel fails in Phase 1, returning a MM_WAIT_MSG6 error
I enabled IPSec-Over-TCP with 4500,500,40,41 ports, otherwise I get a NO_PROPOSAL_CHOSEN error
Nat-T is enabled by default (I've also tried to type manually the cmd)
Is it a problem of firewall identity? It's in automatic mode.. (other choices: VendorID, Address or Hostname)
.. and what about Reverse Routing Injection? (which is disabled)
Cisco ASA 5505 firewall config
- ASA Version 8.2(1)
- ...
- !
- interface Vlan1
- nameif inside
- security-level 100
- ip address 192.168.12.1 255.255.255.0
- !
- interface Vlan2
- nameif outside
- security-level 0
- ip address 192.168.1.11 255.255.255.0
- !
- interface Ethernet0/0
- switchport access vlan 2
- !
- interface Ethernet0/1
- !
- interface Ethernet0/2
- !
- interface Ethernet0/3
- !
- interface Ethernet0/4
- !
- interface Ethernet0/5
- !
- interface Ethernet0/6
- !
- interface Ethernet0/7
- !
- ftp mode passive
- same-security-traffic permit intra-interface
- ! ##rule created by the vpn wizard
- access-list outside_1_cryptomap extended permit ip 192.168.12.0 255.255.255.0 192.168.0.0 255.255.255.0
- ! ##Porte per stabilire la connession tra VPN remota e firewall
- access-list outside_access_in extended permit ip any any
- ! ##Allow incoming ping (redundant rule)
- access-list outside_access_in extended permit icmp any any
- ! ##..created by the vpn wizard
- access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.0.0 255.255.255.0
- pager lines 24
- logging enable
- logging asdm debugging
- mtu inside 1500
- mtu outside 1500
- icmp unreachable rate-limit 1 burst-size 1
- icmp permit any inside
- icmp permit any outside
- no asdm history enable
- arp timeout 14400
- global (outside) 1 interface
- ! ## .. created by the wizard
- nat (inside) 0 access-list inside_nat0_outbound
- !
- nat (inside) 1 0.0.0.0 0.0.0.0 dns
- access-group inside_access_out out interface inside
- access-group outside_access_in in interface outside
- ! ## routing outbound internet traffic
- route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
- ! ## routing outbound vpn traffic
- route outside 192.168.0.0 255.255.255.0 XXxx-REMOTE_PEER_IP-xxXX 1
- timeout xlate 3:00:00
- timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
- timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
- timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
- timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
- timeout tcp-proxy-reassembly 0:01:00
- dynamic-access-policy-record DfltAccessPolicy
- http server enable
- http 192.168.1.0 255.255.255.0 inside
- http 192.168.12.0 255.255.255.0 inside
- no snmp-server location
- no snmp-server contact
- snmp-server enable traps snmp authentication linkup linkdown coldstart
- ! Phase 2
- crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
- crypto ipsec security-association lifetime seconds 28800
- crypto ipsec security-association lifetime kilobytes 4608000
- crypto map outside_map 1 match address outside_1_cryptomap
- crypto map outside_map 1 set pfs
- crypto map outside_map 1 set peer XXxx-REMOTE_PEER_IP-xxXX
- crypto map outside_map 1 set transform-set ESP-3DES-SHA
- crypto map outside_map interface outside
- ! ## Phase 1
- crypto isakmp enable outside
- crypto isakmp policy 5
- authentication pre-share
- encryption 3des
- hash sha
- group 2
- lifetime 86400
- ! ## DO I HAVE TO ENABLE IPSEC-OVER-TCP ??
- crypto isakmp ipsec-over-tcp port 500 4500 50 51
- ! ## NAT-T is enabled by default
- telnet timeout 5
- ssh timeout 5
- console timeout 0
- dhcpd auto_config outside
- ! inside dhcp
- dhcpd address 192.168.12.5-192.168.12.36 inside
- dhcpd dns XXxx-DNS_IPs-xxXX interface inside
- dhcpd enable inside
- !
- threat-detection basic-threat
- threat-detection statistics access-list
- no threat-detection statistics tcp-intercept
- webvpn
- group-policy DfltGrpPolicy attributes
- tunnel-group DefaultL2LGroup ipsec-attributes
- pre-shared-key *
- tunnel-group XXxx-REMOTE_PEER_IP-xxXX type ipsec-l2l
- tunnel-group XXxx-REMOTE_PEER_IP-xxXX ipsec-attributes
- pre-shared-key *
- !
- !
- prompt hostname context
Log Debug IKE:
IKE MM Initiator FSM error history (struct &0xc9d73740) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_TIMEOUT
Thanks for the help
PS: I've written a Java App to highlight cisco asa sintax.. I will post it soon, in case anyone would find it useful
12-14-2010 01:49 AM
You do not need the following static route as it should just use the default route:
route outside 192.168.0.0 255.255.255.0 XXxx-REMOTE_PEER_IP-xxXX 1
Please kindly remove the following too:
crypto isakmp ipsec-over-tcp port 500 4500 50 51
NAT-T should be enabled by default, and it uses UDP/4500.
For IPSec VPN tunnel, you would need to allow/NAT the following 2 ports:
Phase 1: UDP/500
Phase 2: UDP/4500
Hope that helps.
12-14-2010 03:45 AM
Hi,
Please post the configuraion of your remote peer VPN ASA or router here.
Hi Jennifer,
Phase 2 doesnt require 4500 UDP, this port is primarily used to encapsulate IPsec in UDP if there is a device performing NAT between IPsec Peer which allows NAT-T.
However, he would require to allow the following in his firewall (which already permited):
1- ISAKMP , UDP port 500
2- ESP
3- NAT-T , UDP port 4500
Regards,
Mohamed
12-14-2010 08:02 AM
The remote peer isn't mine (it has other VPNs working correctly), however it's a Juniper SSG-140 with these settings:
Remote gateway: xxx-MY_ISP_ROUTER_PUBLIC_IP-xxx
Phase1: pre-g2-3des-sha
Phase2: g2-esp-3des-sha
Replay Protection: Disabled
Transport Mode (for L2TP-over-IPSec): Disabled
Use As Seed: Disabled
Preferred Certificate:
-Local Cert: None
-Peer CA: All
-Peer Type: X509-SIG
Bind to: None
Source Interface: default
Destination IP: default
Enable NAT-Traversal: Enabled (keepalive frequency: 0)
The pre-shared key has been checked several times and it's surely correct.
Thanks
12-16-2010 07:12 AM
Hi Mohamed,
Just to clarify, the below ports are used in Phase1\Phase2
No NAT-T:
Phase 1 and Phase 2 (Control Plane Traffic): UDP 500
Data Plane: ESP
With NAT-T:
Phase 1 : UDP 500 for MM1 - MM4, UDP 4500 (MM5, MM6)
Phase 2: UDP 4500
Data Plane: UDP 4500 (ESP is encapsulated in UDP 4500 to avoid any NAT issues and thus the usefulness of NAT-T)
You probably can verify that also by doing a packet capture on the ASA for a new Tunnel Setup and then save it in PCAP to be viewed later on Wireshark.
Thanks,
Naman
12-14-2010 08:32 AM
Thanks for the reply,
I think that without the "route outside..", the outbound packets for the vpn (directed to the 192.168.0.x, which is the remote lan) will go outside without a destination, not protected by the tunnel (because the tunnel is down) .. could you confirm this?
As far as "crypto isakmp ipsec-over-tcp..", if I remove it, I get NO_PROPOSAL_CHOSEN Error.. Which probably indicates mismatched settings.. Is it due to a wrong identity of my firewall? (the remote peer receives packets with a different source ip instead of the ISP public ip)
Ports UDP 4500 and 500 are already allowed/NAT-ed (even better, every port of the isp router is static natted to my firewall)
12-14-2010 04:29 PM
I think that without the "route outside..", the outbound packets for the vpn (directed to the 192.168.0.x, which is the remote lan) will go outside without a destination, not protected by the tunnel (because the tunnel is down) .. could you confirm this?
A: this statement is incorrect. It should be encrypted and routed to the Internet as per your default route/default gateway. Hence, it is incorrect to configure specific "route outside" to the peer address as the peer address is not even directly connected to the ASA.
Which probably indicates mismatched settings.. Is it due to a wrong identity of my firewall? (the remote peer receives packets with a different source ip instead of the ISP public ip)
A: yes, there is possibility that the remote peer is matching the peer ip address which is behind a NAT router, and the actual ISAKMP negotiation messages about the peer ip address would be private ip address (not the NATed address) because NAT is only performed in the IP header, not within the messages of the ISAKMP negotiation (data). Is there anyway to include the private address in the Juniper configuration for the peer ip address?
12-15-2010 01:43 AM
Hi,
Please post the output of the bellow:
# debug isakmp sa
- In general, I would check the following configuration :
1- The Security Assocaiation life time should match between IPsec peers (Check Juniper configuration).
2- Some ISPs blocks UDP ports which is necessary to establish the tunnel, in this case , either the ports are allowed NAT-T 4500 , However still port 500 UDP should be allowed.
Note:
You can ennable IPsec over TCP if the ISP blocks port 4500 UDP, but you will need UDP port 500 to be open and allowed.
Can you confirm these steps>?
Regards,
Mohamed
12-16-2010 07:22 AM
Hi,
Since you are using NAT-T (ASA behind a NAT device) the communication will be as below
ASA <------> Juniper
MM1 -->
<-- MM2
MM3 -->
<-- MM4
** Communication will now shift to UDP 4500 from UDP 500 **
MM5 -->
<-- MM6 (Which is Not being Received)
So we have couple of possibilities here
1. Juniper doesn't like MM5 because of pre-shared key mismatch. Though as you said this has been verified.
2. Juniper does send MM6 back to ASA, but it never makes it (In which case you need to verify ISP etc)
Please verify this as below
a. On the ASA setup the capture as below
access-list capture permit ip host
access-list capture permit ip host
capture outside access-list capture interface outside
b. Try to bring up the tunnel and then take a look at "show capture outside" Output. If you do not see any UDP 4500 packet coming back from Juniper then issue is Not on the ASA.
However if you Do see UDP 4500 coming back (though very little chance) then please open a TAC case and we can take a look at the issue.
3. I would also verify on Juniper by doing a capture in front that Juniper 'is' sending MM6 back to ASA.
Thanks,
Naman
12-16-2010 08:05 AM
Hi Naman,
The book doesnt state that phase 2 uses UDP port 4500, I have read this before and run some debugs on the ASA to verify.
Still , the 4500 UDP port is used to Encapsulate the IPsec traffic in UDP when there is a device perform NAT, and would therfore require the ASA to be configured with the following:
ASA# Isakmp nat-traversal 20
However, it doesnt mean that ISAKMP wont still use port 500 UDP for phase 1 whenever NAT-T is used.
Let me know your openion,
Regards,
Mohamed
12-16-2010 09:50 AM
Hi Mohamed,
You are right that "isakmp nat-traversal.." need to be enabled but it is enabled by default on ASA, so unless it was disabled earlier this step doesn't need to be performed.
With Or Without NAT-T the first 4 packets (MM1 - MM4) will always use UDP 500.
However after this the , if NAT-T was negotiated then All the further communication will use UDP 4500 (remaining phase1 i.e. MM5\MM6, Phase2, Data).
So Phase 2 does use UDP 4500 when NAT-T was negotiated earlier.
The best way for you to look at it will be to do a packet capture.
Thanks,
Naman
12-20-2010 07:45 AM
Sorry for my delay and thank you all for the support.
Today I'll try all the possible solutions you wrote (also to discover what was the problem), but since my ISP finally allowed my firewall to have a public ip, I think all the troubles will disappear (I hope.. )
03-27-2013 07:22 AM
Hi all,
here is my solution.
Disable NAT-T as follows:
crypto map MyMap 1 set nat-t-disable
This is will avoid the use of 4500/udp
Explanation:
11: 17:30:07.748313 initiator.500 > responder.500: udp 364 packet 1
12: 17:30:07.749640 responder.500 > initiator.500: udp 132 packet 2
13: 17:30:07.782826 initiator.500 > responder.500: udp 304 packet 3
14: 17:30:07.784734 responder.500 > initiator.500: udp 304 packet 4
15: 17:30:07.817813 initiator.4500 > responder.4500: udp 112 - (packet 5)you started waiting for packet 6
16: 17:30:07.818698 responder.4500 > initiator.4500: udp 112 - (packet6 was sent) I'm good so I am active now. But the initiator never got packet 6
I hope this makes sense!
Cheers.
Marty-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide