Solved: ciscoasa(config)# sh crypto

wangbin006599 · ‎03-16-2016

I purchased Mikrotik hardware devices and intend to use routeros Headquarters firewall cisco asa establish VPN. Aim is to establish a branch may be two devices IPSEC VPN access to the headquarters of the server through the public network.

But now I'm having some problems, so I have cisco asa branches and headquarters to establish successful ipsec vpn.
1) branch routeros WAN port using a private IP address and headquarters asa above outside public address established ipsec vpn, vpn successfully established internal servers and I can ping the switch at the branch headquarters. However, there is a problem, I go through routeros visit the headquarters of the server https pages can not be opened, telnet internal switches can telnet up, but were unable to enter the character.
2) In addition, I let the branch routeros WAN port to a public IP address, and asa headquarters established IPSEC VPN, the above said problems are not found, the server can also be accessed, telnet the switch can also enter text and command.
At present, I encountered this problem can not interface because I need to create very, very many branches, and the need to establish communications headquarters, branch offices so I have to use private IP addresses to access Wan, unable to do so wan are public IP address and headquarters to establish IPSEC VPN.

now, i cannot telnet asa inside cisco router and open the inside https web,i cannot fix the problems.

now,asa filers :

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 49.239.3.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.17.0.111 255.255.255.0

object network inside
subnet 172.17.1.0 255.255.255.0
object network outsidevpn
subnet 192.168.0.0 255.255.0.0

qqq

nat (inside,outside) source static inside inside destination static outsidevpn outsidevpn no-proxy-arp route-lookup

route outside 0.0.0.0 0.0.0.0 49.239.3.1 1
route inside 172.17.1.0 255.255.255.0 172.17.0.5 1

crypto ipsec ikev1 transform-set cisco esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map cisco 1000 set pfs
crypto dynamic-map cisco 1000 set ikev1 transform-set cisco
crypto dynamic-map cisco 1000 set reverse-route
crypto map cisco 1000 ipsec-isakmp dynamic cisco
crypto map cisco interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 60
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****

Aditya Ganjoo · ‎03-17-2016

Hi,

Could you share the output of show cry ipsec sa peer 49.239.3.10 from the other device ?

Regards,

Aditya

View solution in original post

wangbin006599 · ‎03-16-2016

Routers telnet headquarters, can not enter characters; inside the CUCM server with httpsweb pages are not open.

Aditya Ganjoo · ‎03-16-2016

Hi,

Please share the syslogs of the ASA at the time of the issue.

Also share the output of the tunnel :sh cry isa sa and sh cry ips sa

Regards,

Aditya

Please rate helpful posts.

wangbin006599 · ‎03-17-2016

ciscoasa(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: cisco, seq num: 1000, local addr: 49.239.3.10

local ident (addr/mask/prot/port): (172.17.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.88.0/255.255.255.0/0/0)
current_peer: 49.239.0.226

#pkts encaps: 109, #pkts encrypt: 109, #pkts digest: 109
#pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 109, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 49.239.3.10/4500, remote crypto endpt.: 49.239.0.226/29473
path mtu 1500, ipsec overhead 66(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0139748B
current inbound spi : 41B82D1E

inbound esp sas:
spi: 0x41B82D1E (1102589214)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 155648, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4374000/1696)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x0139748B (20542603)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 155648, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4374000/1696)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ciscoasa(config)# sh crypto isakmp sa

IKEv1 SAs:

Active SA: 3
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3

1 IKE Peer: 49.239.3.200
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

Aditya Ganjoo · ‎03-17-2016

Hi,

Could you share the output of show cry ipsec sa peer 49.239.3.10 from the other device ?

Regards,

Aditya

wangbin006599 · ‎03-17-2016

ciscoasa(config)# sh crypto ipsec sa peer 49.239.3.10

There are no ipsec sas for peer 49.239.3.10
ciscoasa(config)# sh crypto ipsec sa peer 49.239.3.200
peer address: 49.239.3.200
Crypto map tag: cisco, seq num: 1000, local addr: 49.239.3.10

local ident (addr/mask/prot/port): (172.17.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.90.0/255.255.255.0/0/0)
current_peer: 49.239.3.200

#pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
#pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 49.239.3.10/4500, remote crypto endpt.: 49.239.3.200/4500
path mtu 1500, ipsec overhead 66(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 07553A5F
current inbound spi : F70DCB8C

inbound esp sas:
spi: 0xF70DCB8C (4144876428)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 233472, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4373998/1774)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x003FFFFF
outbound esp sas:
spi: 0x07553A5F (123026015)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 233472, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4373998/1774)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

wangbin006599 · ‎03-17-2016

Thank you for your reply, I carefully study a little, the problem is resolved, we need to openrouteros firewall inside fasttrack to accept!

wangbin006599 · ‎03-17-2016

my asa outside publish ip is 49.239.3.10

Site-To-Site IPSec Tunnel between ASA (Static IP) to Microtick Firewall (Dynamic IP) cannot telnet routeros and open https