OUTSIDE_cryptomap_65535.65535

m-rasouli · ‎11-13-2013

Helo,

i have a problem with vpn on my ASA 5520

If i enable OUTSIDE_cryptomap_65535.65535 in the access list, the clients outside cann make vpn and

access the network, but everything els ( internet, site 2 site vpn, web access, ping ....) is disabled.

If i disable OUTSIDE_cryptomap_65535.65535 everything runs well, but clients can not make vpn.

Any help?

Thanks

Jouni Forss · ‎11-13-2013

Hi,

We would need to see more configurations.

At the very least we should see the output of

show run crypto

To get some idea of your setup.

- Jouni

m-rasouli · ‎11-13-2013

here is the log :

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set EZ-L2L-SET-1 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set DIPLEXA-SET esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set Bechtle esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set Westtours-Transform esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set RETARUS-SET esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set Company-RA-SET esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set Lambdalogic-IPsec-Policy esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set DSGV-BL-BX-SET esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set MR-Transfer-Set esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address OUTSIDE_cryptomap_65535.65535
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set Company-RA-SET
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap_1
crypto map OUTSIDE_map 1 set peer x.x.x.x
crypto map OUTSIDE_map 1 set ikev1 transform-set Lambdalogic-IPsec-Policy
crypto map OUTSIDE_map 2 match address OUTSIDE_2_cryptomap
crypto map OUTSIDE_map 2 set pfs
crypto map OUTSIDE_map 2 set peer x.x.x.x
crypto map OUTSIDE_map 2 set ikev1 transform-set DIPLEXA-SET
crypto map OUTSIDE_map 2 set security-association lifetime kilobytes 9608000
crypto map OUTSIDE_map 3 match address OUTSIDE_cryptomap_2
crypto map OUTSIDE_map 3 set pfs group5
crypto map OUTSIDE_map 3 set peer x.x.x.x
crypto map OUTSIDE_map 3 set ikev1 transform-set Company-BL-BX-SET
crypto map OUTSIDE_map 3 set ikev2 pre-shared-key *****
crypto map OUTSIDE_map 4 match address OUTSIDE_cryptomap
crypto map OUTSIDE_map 4 set pfs group5
crypto map OUTSIDE_map 4 set peer x.x.x.x
crypto map OUTSIDE_map 4 set ikev1 transform-set Westtours-Transform
crypto map OUTSIDE_map 4 set nat-t-disable
crypto map OUTSIDE_map 5 match address OUTSIDE_5_cryptomap
crypto map OUTSIDE_map 5 set peer x.x.x.x
crypto map OUTSIDE_map 5 set ikev1 transform-set Bechtle ESP-3DES-SHA
crypto map OUTSIDE_map 6 match address OUTSIDE_6_cryptomap
crypto map OUTSIDE_map 6 set pfs
crypto map OUTSIDE_map 6 set peer x.x.x.x
crypto map OUTSIDE_map 6 set ikev1 transform-set ESP-AES-256-SHA
crypto map OUTSIDE_map 6 set reverse-route
crypto map OUTSIDE_map 7 match address OUTSIDE_cryptomap_3
crypto map OUTSIDE_map 7 set peer x.x.x.x
crypto map OUTSIDE_map 7 set ikev1 transform-set MR-Transfer-Set
crypto map OUTSIDE_map 8 match address OUTSIDE_cryptomap_4
crypto map OUTSIDE_map 8 set peer x.x.x.x
crypto map OUTSIDE_map 8 set ikev1 transform-set MR-Transfer-Set
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable OUTSIDE
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 29
authentication pre-share
encryption aes
hash sha
group 2
lifetime none
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 31
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 32
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600

Jouni Forss · ‎11-13-2013

Hi,

This configuration line should not be configured

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address OUTSIDE_cryptomap_65535.65535

First you would need to tell me what your aim with this is?

If you want to tell the ASA what traffic should be tunneled for a VPN Client connection then you would have to use Split Tunnel configurations under the "group-policy" of the VPN Client configuration.

So would need to know what you are trying to accomplish and then take a look at your current ASA configuration to determine the correct configurations needed to get this working.

- Jouni