Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
0
Helpful
2
Replies

Making the same mistake over and over. Drop at VPN encryption

Albert Wong
Level 1
Level 1

‎07-14-2013 02:02 PM

I don't get it, I have 3 VPNs now with the same problem... and I just can't see what is wrong.

It seems that it goes OK with that NAT and identify data that need to be pushed into the tunnel but it seems that all data is being dropped.

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static May_Net May_Net destination static ServerNet ServerNet

Additional Information:

Static translate 10.2.33.101/80 to 10.2.33.101/80

Phase: 4

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

very simple config...

ASA Version 8.6(1)

!

hostname may-may

enable password xxxxxxxxxxxxxF encrypted

passwd nnnnnnnnnnnn encrypted

names

name 7.7.7.7 HQ_peer

name 10.1.1.0 ServerNet description Hans Server Network

!

interface Ethernet0/0

description To HKBN via Fourseasons Hotel

!

interface Ethernet0/1

description To Penthouse network

switchport access vlan 2

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

switchport access vlan 2

!

interface Ethernet0/5

description Apple Airport Extrement ac

switchport access vlan 2

!

interface Ethernet0/6

switchport access vlan 2

!

interface Ethernet0/7

description Cisco Phone

switchport access vlan 2

!

interface Vlan1

nameif outside

security-level 0

ip address x.x.x.7 255.255.255.240

!

interface Vlan2

nameif inside

security-level 100

ip address 10.2.33.254 255.255.255.0

!

boot system disk0:/asa861-k8.bin

ftp mode passive

object network May_Net

subnet 10.2.33.0 255.255.255.0

object network ServerNet

subnet 10.1.1.0 255.255.255.128

access-list outside_1_cryptomap extended permit ip 10.2.33.0 255.255.255.0 10.1.1.0 255.255.255.128

pager lines 24

logging enable

logging buffered informational

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool VPNNET 10.2.9.1-10.2.9.30 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static May_Net May_Net destination static ServerNet ServerNet

nat (inside,outside) source dynamic any interface

route outside 0.0.0.0 0.0.0.0  x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.2.32.0 255.255.255.0 inside

http 10.2.33.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set AES esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer HansHQ_peer

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn may.internal

subject-name CN=may-maya

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 1eae4d51

    :snip

    b0592e61 e6676828 936c9b91 c63932fd ef00ae1e ecfa78b6 29020301 0001300d

    06092a86 4886f70d 01010505 00038181 007b6e75 553d9700 d9e29f82 b348ad98

    b061de18 0a24ed58 abf40469 0155b1fe 7515511e e40634f9 44e16626 3c41b353

    b0c1a348 78734ba5 333703b0 2bacdc42 385f0daa f5ec08b9 07541550 ab289688

    f2ddd336 79cc3cfa a9e8e4fa ef094f7e 49e0088a d8b19701 4032bedd 39a9f2a9

    fd4c4797 499aaaac ab0e10af 9488f556 ac

  quit

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet ServerNet 255.255.255.0 outside

telnet 10.2.32.0 255.255.255.0 inside

telnet 10.2.33.0 255.255.255.0 inside

telnet timeout 1440

ssh timeout 5

console timeout 0

dhcpd address 10.2.33.10-10.2.33.41 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port number-of-rate 2

threat-detection statistics protocol number-of-rate 2

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag

e-rate 200

ntp server 10.1.1.1

ssl trust-point ASDM_TrustPoint0 outside

webvpn

group-policy GroupPolicy_MaResidence internal

group-policy GroupPolicy_MaResidence attributes

wins-server none

dns-server value 8.8.8.8

vpn-tunnel-protocol ssl-client

default-domain value my.internal

tunnel-group 7.7.7.7 type ipsec-l2l

tunnel-group 7.7.7.7 ipsec-attributes

ikev1 pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:9ea8b9349f9ec2b32638f506cdf9504d

: end

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎07-14-2013 03:26 PM

I am not clear why your VPN is not working. One thing I notice and am puzzled about. Given that you have configured objects for May_Net and for ServerNet I wonder why your crypto access list is using the addresses rather than the objects? I wonder what the behavior would be if you change the crypto access list and had it use the object names?

HTH

Rick

HTH

Rick
0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

‎07-14-2013 10:37 PM

Hi,

Is this in service? Are you running the packet tracer ahead of time before you hook this up?

Also can you provide the syntax of your packet tracer input. Also how is your non encrypted traffic for example Web traffic going through the Asa?


Sent from Cisco Technical Support Android App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents