- Cisco Community
- Technology and Support
- Security
- VPN
- site to site vpn between ios and asa
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
site to site vpn between ios and asa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2012 11:05 AM
Can someone review my configuration and let me know what I'm missing? I do not control the ASA side of the VPN. Logs show the following on the ASA --
IPSEC(sa_initiate): invalid parameters
IOS:
| crypto isakmp policy 1 |
| encr 3des |
| authentication pre-share |
| group 2 |
| ! |
| crypto isakmp policy 2 |
| authentication pre-share |
| group 2 |
| crypto isakmp key SECRET address 64.132.34.194 |
| crypto isakmp key SECRETaddress 50.58.84.236 |
| crypto isakmp keepalive 60 |
| ! |
| crypto isakmp policy 3 |
| authentication pre-share |
| encr aes 128 |
| hash md5 |
| group 2 |
| crypto isakmp key SECRET address 85.93.125.201 |
| crypto isakmp keepalive 60 |
| ! |
| crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac |
| crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac |
| crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac |
| crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac |
| ! |
| crypto map SDM_CMAP_1 1 ipsec-isakmp |
| description Tunnel to64.132.34.194 |
| set peer 64.132.34.194 |
| set transform-set ESP-3DES-SHA |
| match address 101 |
| ! |
| crypto map SDM_CMAP_1 5 ipsec-isakmp |
| description Tunnel to PARTNER |
| set peer 85.93.125.201 |
| set transform-set ESP-AES128-SHA |
| match address 108 |
!
| interface GigabitEthernet0/0 | |||||||||||||||||||
| ip address 50.58.79.170 255.255.255.252 | |||||||||||||||||||
| ip access-group 104 in | |||||||||||||||||||
| no ip redirects | |||||||||||||||||||
| no ip unreachables | |||||||||||||||||||
| no ip proxy-arp | |||||||||||||||||||
| ip verify unicast reverse-path | |||||||||||||||||||
| ip nat outside | |||||||||||||||||||
| ip virtual-reassembly | |||||||||||||||||||
| duplex auto | |||||||||||||||||||
| speed auto | |||||||||||||||||||
| crypto map SDM_CMAP_1 | |||||||||||||||||||
| ! | |||||||||||||||||||
| ! | |||||||||||||||||||
| interface GigabitEthernet0/1 | |||||||||||||||||||
| description $ETH-LAN$ | |||||||||||||||||||
| ip address 172.16.100.1 255.255.255.252 | |||||||||||||||||||
| ip access-group 103 in | |||||||||||||||||||
| no ip redirects | |||||||||||||||||||
| no ip unreachables | |||||||||||||||||||
| no ip proxy-arp | |||||||||||||||||||
| ip accounting output-packets | |||||||||||||||||||
| ip nat inside | |||||||||||||||||||
| ip virtual-reassembly | |||||||||||||||||||
| ip tcp adjust-mss 1452 | |||||||||||||||||||
| duplex auto | |||||||||||||||||||
speed auto !
!
ASA: nameif ethernet0 outside security0 nameif ethernet1 inside security100 ! > > object-group network OVN_SUBNETS > > network-object 10.11.12.41 255.255.255.255 > > network-object 10.11.12.55 255.255.255.255 > > network-object 10.11.12.59 255.255.255.255 > > network-object 192.168.0.0 255.255.0.0 > > object-group network SDE_SUBNETS > > network-object 10.150.0.0 255.255.0.0 ! > > access-list 60 permit ip object-group SDE_SUBNETS object-group OVN_SUBNETS > > ip address outside 85.93.125.201 255.255.255.224 > > ip address inside 10.150.0.254 255.255.0.0 > > global (outside) 1 interface > > access-group 100 in interface inside > > route outside 0.0.0.0 0.0.0.0 85.93.125.193 1 > > crypto ipsec transform-set ovnset esp-aes esp-sha-hmac > > crypto dynamic-map dynmap 10 set transform-set ovnset > > crypto map OVN 1 ipsec-isakmp > > crypto map OVN 1 match address 60 > > crypto map OVN 1 set peer 50.58.79.170 > > crypto map OVN 1 set transform-set ovnset > > crypto map OVN interface outside > > isakmp enable outside > > isakmp key ******** address 50.58.79.170 netmask 255.255.255.255 > > isakmp policy 10 authentication pre-share > > isakmp policy 10 encryption aes > > isakmp policy 10 hash sha > > isakmp policy 10 group 2 > > isakmp policy 10 lifetime 86400 ! ! ! > > ovn.sde.cz# show isakmp > > isakmp enable outside > > isakmp key ******** address 50.58.79.170 netmask 255.255.255.255 > > isakmp policy 10 authentication pre-share > > isakmp policy 10 encryption aes > > isakmp policy 10 hash sha > > isakmp policy 10 group 2 > > isakmp policy 10 lifetime 86400 ! ! ! ovn.sde.cz# show crypto ipsec security-association lifetime > > Security association lifetime: 4608000 kilobytes/28800 seconds > > > > > > ovn.sde.cz# show crypto ipsec transform-set > > > > Transform set ovnset: { esp-aes esp-sha-hmac } > > will negotiate = { Tunnel, } Thanks |
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2012 11:33 AM
Hi,
Recommended actions:
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
ip access-list extended VPN_TO_OVN
permit ip host 10.11.12.41 10.150.0.0 0.0.255.255
permit ip host 10.11.12.55 10.150.0.0 0.0.255.255
permit ip host 10.11.12.59 10.150.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 10.150.0.0 0.0.255.255
!
crypto map SDM_CMAP_1 5 ipsec-isakmp
match address VPN_TO_OVN
* I changed the ACL to a more accurate and best practice fashion, but the real change is the ISAKMP policy.
Keep me posted.
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2012 11:47 AM
That didn't do anything... Now I've got both in there, to no avail...
crypto isakmp policy 3
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
And a correction... The far side is a PIX 506 v6.3(5)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2012 11:51 AM
Thanks for the heads up, I missed the number 3.
We need to run debugs on the Router side:
debug crypto condition peer ipv4 85.93.125.201
debug crypto isakmp
debug crypto ipsec
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2012 12:29 PM
Thanks for your reply... Here's the debug info from the router side...
*Oct 22 15:22:44.239: ISAKMP:(1173): sending packet to 85.93.125.201 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Oct 22 15:22:44.239: ISAKMP:(1173):Sending an IKE IPv4 Packet.
*Oct 22 15:22:44.239: ISAKMP:(1173):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 22 15:22:44.239: ISAKMP:(1173):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Oct 22 15:22:44.379: ISAKMP (1173): received packet from 85.93.125.201 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Oct 22 15:22:44.379: ISAKMP:(1173): processing ID payload. message ID = 0
*Oct 22 15:22:44.379: ISAKMP (1173): ID payload
next-payload : 8
type : 2
FQDN name : ovn.sde.cz.sde.cz
protocol : 17
port : 500
length : 25
*Oct 22 15:22:44.379: ISAKMP:(1173): processing HASH payload. message ID = 0
*Oct 22 15:22:44.379: ISAKMP:(1173):SA authentication status:
authenticated
*Oct 22 15:22:44.379: ISAKMP:(1173):SA has been authenticated with 85.93.125.201
*Oct 22 15:22:44.379: ISAKMP:(1173):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 22 15:22:44.379: ISAKMP:(1173):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Oct 22 15:22:44.379: ISAKMP:(1173):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 22 15:22:44.379: ISAKMP:(1173):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Oct 22 15:22:44.379: ISAKMP:(1173):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 22 15:22:44.379: ISAKMP:(1173):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Oct 22 15:22:44.383: ISAKMP:(1173):IKE_DPD is enabled, initializing timers
*Oct 22 15:22:44.383: ISAKMP:(1173):beginning Quick Mode exchange, M-ID of 974803726
*Oct 22 15:22:44.383: ISAKMP:(1173):QM Initiator gets spi
*Oct 22 15:22:44.383: ISAKMP:(1173): sending packet to 85.93.125.201 my_port 500 peer_port 500 (I) QM_IDLE
*Oct 22 15:22:44.383: ISAKMP:(1173):Sending an IKE IPv4 Packet.
*Oct 22 15:22:44.383: ISAKMP:(1173):Node 974803726, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Oct 22 15:22:44.383: ISAKMP:(1173):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Oct 22 15:22:44.383: ISAKMP:(1173):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Oct 22 15:22:44.383: ISAKMP:(1173):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Oct 22 15:22:44.523: ISAKMP (1173): received packet from 85.93.125.201 dport 500 sport 500 Global (I) QM_IDLE
*Oct 22 15:22:44.523: ISAKMP: set new node -536386072 to QM_IDLE
*Oct 22 15:22:44.523: ISAKMP:(1173): processing HASH payload. message ID = -536386072
*Oct 22 15:22:44.523: ISAKMP:(1173): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 0
spi 0, message ID = -536386072, sa = 29D3B52C
*Oct 22 15:22:44.523: ISAKMP:(1173):peer does not do paranoid keepalives.
*Oct 22 15:22:44.523: ISAKMP:(1173):deleting node -536386072 error FALSE reason "Informational (in) state 1"
*Oct 22 15:22:44.523: ISAKMP:(1173):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 22 15:22:44.523: ISAKMP:(1173):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Oct 22 15:22:54.383: ISAKMP:(1173): retransmitting phase 2 QM_IDLE 974803726 ...
*Oct 22 15:22:54.383: ISAKMP (1173): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Oct 22 15:22:54.383: ISAKMP (1173): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Oct 22 15:22:54.383: ISAKMP:(1173): retransmitting phase 2 974803726 QM_IDLE
*Oct 22 15:22:54.383: ISAKMP:(1173): sending packet to 85.93.125.201 my_port 500 peer_port 500 (I) QM_IDLE
*Oct 22 15:22:54.383: ISAKMP:(1173):Sending an IKE IPv4 Packet.
*Oct 22 15:22:56.355: %SEC-6-IPACCESSLOGP: list 104 denied udp 98.139.138.157(3128) -> 50.58.79.170(48222), 1 packet
*Oct 22 15:22:58.299: %SEC-6-IPACCESSLOGP: list 104 permitted udp 66.162.108.21(123) -> 50.58.79.170(29), 1 packet
*Oct 22 15:23:03.911: ISAKMP:(1172):purging node -1876871100
*Oct 22 15:23:04.083: %SEC-6-IPACCESSLOGP: list 104 denied udp 94.156.125.64(38501) -> 50.58.79.170(15674), 1 packet
*Oct 22 15:23:04.383: ISAKMP:(1173): retransmitting phase 2 QM_IDLE 974803726 ...
*Oct 22 15:23:04.383: ISAKMP (1173): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
*Oct 22 15:23:04.383: ISAKMP (1173): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
*Oct 22 15:23:04.383: ISAKMP:(1173): retransmitting phase 2 974803726 QM_IDLE
*Oct 22 15:23:04.383: ISAKMP:(1173): sending packet to 85.93.125.201 my_port 500 peer_port 500 (I) QM_IDLE
*Oct 22 15:23:04.383: ISAKMP:(1173):Sending an IKE IPv4 Packet.
*Oct 22 15:23:09.071: %SEC-6-IPACCESSLOGP: list 104 denied udp 157.55.235.156(443) -> 50.58.79.170(15674), 1 packet
*Oct 22 15:23:10.575: %SEC-6-IPACCESSLOGP: list 104 denied udp 207.114.59.68(57004) -> 50.58.79.170(137), 1 packet
*Oct 22 15:23:12.983: %SEC-6-IPACCESSLOGP: list 104 permitted udp 211.39.136.4(123) -> 50.58.79.170(36), 1 packet
*Oct 22 15:23:13.771: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 50.58.79.170, remote= 85.93.125.201,
local_proxy= 10.11.12.41/255.255.255.255/0/0 (type=1),
remote_proxy= 10.150.0.0/255.255.0.0/0/0 (type=4)
*Oct 22 15:23:13.771: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 50.58.79.170, remote= 85.93.125.201,
local_proxy= 10.11.12.41/255.255.255.255/0/0 (type=1),
remote_proxy= 10.150.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Oct 22 15:23:13.771: ISAKMP: set new node 0 to QM_IDLE
*Oct 22 15:23:13.771: SA has outstanding requests (local 41.211.182.176 port 500, remote 41.211.182.148 port 500)
*Oct 22 15:23:13.771: ISAKMP:(1173): sitting IDLE. Starting QM immediately (QM_IDLE )
*Oct 22 15:23:13.771: ISAKMP:(1173):beginning Quick Mode exchange, M-ID of -1501071187
*Oct 22 15:23:13.771: ISAKMP:(1173):QM Initiator gets spi
*Oct 22 15:23:13.771: ISAKMP:(1173): sending packet to 85.93.125.201 my_port 500 peer_port 500 (I) QM_IDLE
*Oct 22 15:23:13.771: ISAKMP:(1173):Sending an IKE IPv4 Packet.
*Oct 22 15:23:13.771: ISAKMP:(1173):Node -1501071187, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Oct 22 15:23:13.771: ISAKMP:(1173):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Oct 22 15:23:13.911: ISAKMP (1173): received packet from 85.93.125.201 dport 500 sport 500 Global (I) QM_IDLE
*Oct 22 15:23:13.911: ISAKMP: set new node 779634522 to QM_IDLE
*Oct 22 15:23:13.911: ISAKMP:(1173): processing HASH payload. message ID = 779634522
*Oct 22 15:23:13.911: ISAKMP:(1173): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 0
spi 0, message ID = 779634522, sa = 29D3B52C
*Oct 22 15:23:13.911: ISAKMP:(1173):peer does not do paranoid keepalives.
*Oct 22 15:23:13.911: ISAKMP:(1173):deleting node 779634522 error FALSE reason "Informational (in) state 1"
*Oct 22 15:23:13.911: ISAKMP:(1173):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 22 15:23:13.911: ISAKMP:(1173):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Oct 22 15:23:14.299: %SEC-6-IPACCESSLOGP: list 104 permitted udp 66.162.108.21(123) -> 50.58.79.170(29), 1 packet
*Oct 22 15:23:14.383: ISAKMP:(1173): retransmitting phase 2 QM_IDLE 974803726 ...
*Oct 22 15:23:14.383: ISAKMP (1173): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
*Oct 22 15:23:14.383: ISAKMP (1173): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
*Oct 22 15:23:14.383: ISAKMP:(1173): retransmitting phase 2 974803726 QM_IDLE
*Oct 22 15:23:14.383: ISAKMP:(1173): sending packet to 85.93.125.201 my_port 500 peer_port 500 (I) QM_IDLE
*Oct 22 15:23:14.383: ISAKMP:(1173):Sending an IKE IPv4 Packet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2012 12:45 PM
Thanks for the prompt response.
From the logs:
*Oct 22 15:22:44.523: ISAKMP:(1173): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 0
spi 0, message ID = -536386072, sa = 29D3B52C
It looks like a Phase II mismatch. The debugs suggest you try to reach the remote server by its FQDN, is this correct?
*Oct 22 15:22:44.379: ISAKMP:(1173): processing ID payload. message ID = 0
*Oct 22 15:22:44.379: ISAKMP (1173): ID payload
next-payload : 8
type : 2
FQDN name : ovn.sde.cz.sde.cz
protocol : 17
port : 500
length : 25
I suggest to contact the remote peer and review the configuration one more time, since it does not seem to match.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2012 01:17 PM
I actually have access to the remote side right now... And I don't see anywhere within the config that references FQDN...
Here are the complete two updated configs.
Head End Router:
vn-edge#
ovn-edge#
ovn-edge#
ovn-edge#
ovn-edge#
ovn-edge#
ovn-edge#
ovn-edge#
ovn-edge#
ovn-edge#
ovn-edge#
ovn-edge#
ovn-edge#
ovn-edge#sh run
Building configuration...
Current configuration : 17230 bytes
!
! Last configuration change at 16:07:51 UTC Mon Oct 22 2012 by chrissy
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ovn-edge
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip domain name overturenetworks.com
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-676464576
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-676464576
revocation-check none
rsakeypair TP-self-signed-676464576
!
!
crypto pki certificate chain TP-self-signed-676464576
certificate self-signed 01
30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36373634 36343537 36301E17 0D313130 38313232 31353032
305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3637 36343634
35373630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
CF381FE8 400AF147 43AAC415 0DAA1DD2 73705712 EFB84687 52283691 C8D0FE4A
97717BDA 4DD2FA28 C7501E66 6DDCDE7C D2F9257B 32B8041D 2ACB5E5E 37982AC5
2F851CC6 6BE36050 CB7C554D 1A3B8584 F1177B17 C1909696 5E9B7E1F 6F7B2DEF
A24A76F0 B0A0BF24 0989AF7F F33894E6 E951C362 06C3CCB8 D419C274 E5A550B5
02030100 01A37D30 7B300F06 03551D13 0101FF04 05300301 01FF3028 0603551D
11042130 1F821D6F 766E2D65 6467652E 6F766572 74757265 6E657477 6F726B73
2E636F6D 301F0603 551D2304 18301680 140D87F8 F616161E 728713EF 5A5B60AC
89B0549E 02301D06 03551D0E 04160414 0D87F8F6 16161E72 8713EF5A 5B60AC89
B0549E02 300D0609 2A864886 F70D0101 04050003 81810009 46E492EC 6AC0EDFD
48BF019D B700E58B 5BA17D5E B2CB72EF C7EE9999 45032AB4 62BD7FA2 B477E8B4
83657395 31A03A80 456A58A6 978FEB9A B43328A7 479465B1 29E8165B D9738E85
A6B2E241 3879FF50 F1619E01 F0C9579A C5BA0C2F C2942266 2B361D7A 026B46EA
15CC1D45 67A127C2 B3DA0CDF 245367A5 18C6FE28 276C58
quit
license udi pid CISCO2911/K9 sn FTX1523AHJL
license boot module c2900 technology-package securityk9
!
!
object-group network Servers
range 10.11.12.1 10.11.12.100
!
!
redundancy
!
!
no ip ftp passive
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key SECRET address 64.132.34.194
crypto isakmp key SECRET address 50.58.84.236
crypto isakmp key SECRET address 85.93.125.201
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to64.132.34.194
set peer 64.132.34.194
set transform-set ESP-3DES-SHA
match address 101
crypto map SDM_CMAP_1 5 ipsec-isakmp
description Tunnel to SDE
set peer 85.93.125.201
set transform-set ESP-AES128-SHA
match address 108
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description SDM_CMAP_2
set peer 50.58.84.236
set transform-set ESP-3DES-SHA1
match address 102
!
!
!
!
!
interface Tunnel0
ip address 172.16.250.1 255.255.255.252
ip mtu 1420
tunnel source GigabitEthernet0/0
tunnel destination 64.132.34.194
tunnel path-mtu-discovery
!
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-WAN$
ip address 50.58.84.234 255.255.255.248 secondary
ip address 50.58.79.170 255.255.255.252
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
!
interface GigabitEthernet0/1
description $ETH-LAN$
ip address 172.16.100.1 255.255.255.252
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
ip address 10.21.18.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
!
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool ovrld 50.58.79.170 50.58.79.170 prefix-length 24
ip nat pool ovrld_voip 50.58.84.234 50.58.84.234 prefix-length 24
ip nat inside source static tcp 10.11.12.31 21 interface GigabitEthernet0/0 21
ip nat inside source static tcp 10.11.12.31 20 interface GigabitEthernet0/0 20
ip nat inside source static tcp 10.11.12.31 5201 interface GigabitEthernet0/0 5201
ip nat inside source static tcp 10.11.12.31 5202 interface GigabitEthernet0/0 5202
ip nat inside source static tcp 10.11.12.31 5203 interface GigabitEthernet0/0 5203
ip nat inside source static tcp 10.11.12.31 5204 interface GigabitEthernet0/0 5204
ip nat inside source static tcp 10.11.12.31 5205 interface GigabitEthernet0/0 5205
ip nat inside source static tcp 10.11.12.2 1723 interface GigabitEthernet0/0 1723
ip nat inside source list 6 pool ovrld_voip overload
ip nat inside source static tcp 10.11.12.73 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 10.11.12.73 8010 interface GigabitEthernet0/0 8010
ip nat inside source list 100 pool ovrld overload
ip nat inside source static tcp 10.11.12.57 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 10.11.13.159 51333 interface GigabitEthernet0/0 51333
ip nat inside source static tcp 10.11.12.57 8080 interface GigabitEthernet0/0 8080
ip nat inside source static tcp 10.11.12.57 8009 interface GigabitEthernet0/0 8009
ip nat inside source static tcp 10.11.12.31 1023 50.58.79.170 1023 extendable
ip nat inside source static tcp 10.11.12.84 8888 50.58.79.170 8888 extendable
ip nat inside source static tcp 10.11.12.75 80 50.58.84.234 80 extendable
ip nat inside source static tcp 10.11.12.75 443 50.58.84.234 443 extendable
ip route 0.0.0.0 0.0.0.0 50.58.79.169
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 10.10.10.0 255.255.255.0 Tunnel0
ip route 10.11.12.0 255.255.255.0 172.16.100.2
ip route 10.11.13.0 255.255.255.0 172.16.100.2
ip route 10.11.14.0 255.255.255.0 172.16.100.2
ip route 10.20.20.0 255.255.255.0 Tunnel0
ip route 10.30.30.0 255.255.255.0 Tunnel0
ip route 10.40.40.0 255.255.255.0 Tunnel0
ip route 10.50.50.0 255.255.255.0 Tunnel0
ip route 10.60.60.0 255.255.255.0 Tunnel0
ip route 10.80.80.0 255.255.255.0 Tunnel0
ip route 10.100.0.0 255.255.0.0 172.16.100.2
ip route 192.168.0.0 255.255.0.0 172.16.100.2
!
logging 10.11.12.143
access-list 6 permit 10.21.18.0 0.0.0.255
access-list 7 permit 172.16.100.0 0.0.0.3
access-list 7 permit 10.11.12.0 0.0.0.255
access-list 7 permit 10.11.13.0 0.0.0.255
access-list 7 permit 10.11.14.0 0.0.0.255
access-list 7 permit 192.168.0.0 0.0.255.255
access-list 7 permit 10.100.0.0 0.0.255.255
access-list 100 remark NAT exempt for SDE VPN
access-list 100 deny ip host 10.11.12.41 10.150.0.0 0.0.255.255
access-list 100 deny ip host 10.11.12.55 10.150.0.0 0.0.255.255
access-list 100 deny ip host 10.11.12.59 10.150.0.0 0.0.255.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 10.150.0.0 0.0.255.255
access-list 100 remark CCP_ACL Category=18
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.100.0 0.0.0.3 any
access-list 100 permit ip 10.11.12.0 0.0.0.255 any
access-list 100 permit ip 10.11.13.0 0.0.0.255 any
access-list 100 permit ip 10.11.14.0 0.0.0.255 any
access-list 100 remark OMS Test
access-list 100 permit ip 10.100.0.0 0.0.255.255 any
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 deny gre host 50.58.79.170 host 64.132.34.194
access-list 101 remark SDM_ACL Category=4
access-list 101 permit gre host 50.58.79.170 host 64.132.34.194
access-list 102 remark CCP_ACL Category=4
access-list 102 permit gre host 50.58.79.170 host 50.58.84.236
access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_6##
access-list 103 remark CCP_ACL Category=1
access-list 103 remark Weber
access-list 103 permit tcp host 10.11.12.3 any eq smtp log
access-list 103 remark 19th Hole- Sensor #2
access-list 103 permit tcp host 10.11.13.6 any eq smtp log
access-list 103 remark Berlin SMTP relay
access-list 103 permit tcp host 10.11.12.18 any eq smtp
access-list 103 remark Wiki
access-list 103 permit tcp host 10.11.12.21 any eq smtp log
access-list 103 remark Humperdinck
access-list 103 permit tcp host 10.11.12.27 any eq smtp log
access-list 103 remark Tchai
access-list 103 permit tcp host 10.11.12.32 any eq smtp log
access-list 103 remark IVES (Sendmail)
access-list 103 permit tcp host 10.11.12.36 any eq smtp log
access-list 103 remark LISZT (Arena PL)
access-list 103 permit tcp host 10.11.12.38 any eq smtp log
access-list 103 remark N2 Mahler (Wiki)
access-list 103 permit tcp host 10.11.12.39 any eq smtp log
access-list 103 remark Telemann (JIRA)
access-list 103 permit tcp host 10.11.12.41 any eq smtp log
access-list 103 remark Puccini
access-list 103 permit tcp host 10.11.12.43 any eq smtp
access-list 103 remark Pachelbel
access-list 103 permit tcp host 10.11.12.51 any eq smtp log
access-list 103 remark CHINO
access-list 103 permit tcp host 10.11.12.52 any eq smtp log
access-list 103 remark EMC NX4
access-list 103 permit tcp host 10.11.12.90 any eq smtp log
access-list 103 remark Goodchild (Thunderbird)
access-list 103 permit tcp host 10.11.12.201 any eq smtp
access-list 103 remark Haydn
access-list 103 permit tcp host 10.11.12.248 any eq smtp log
access-list 103 remark Lawes
access-list 103 permit tcp host 10.11.12.56 any eq smtp log
access-list 103 remark Hasse
access-list 103 permit tcp host 10.11.12.55 any eq smtp log
access-list 103 remark TEMPO
access-list 103 permit tcp host 10.11.12.143 any eq smtp log
access-list 103 remark ZIMMER (Agile)
access-list 103 permit tcp host 10.11.12.58 any eq smtp log
access-list 103 remark LOHNER (Agile)
access-list 103 permit tcp host 10.11.12.57 any eq smtp log
access-list 103 remark Test Link
access-list 103 permit tcp host 10.11.12.59 any eq smtp
access-list 103 remark Dussek (SysPro)
access-list 103 permit tcp host 10.11.12.60 any eq smtp log
access-list 103 remark Softserv3
access-list 103 permit tcp host 10.11.12.63 any eq smtp log
access-list 103 remark ClearQuest
access-list 103 permit tcp host 10.11.12.64 any eq smtp
access-list 103 remark Backup02
access-list 103 permit tcp host 10.11.12.71 any eq smtp log
access-list 103 remark MUSTAINE
access-list 103 permit tcp host 10.11.12.81 any eq smtp log
access-list 103 remark Ellington
access-list 103 permit tcp host 10.11.12.84 any eq smtp log
access-list 103 remark Servers (1-100) SMTP
access-list 103 permit tcp object-group Servers any eq smtp log
access-list 103 remark Goodchild Thunderbird
access-list 103 permit tcp host 10.11.13.155 any eq smtp
access-list 103 remark FPGA Script
access-list 103 permit tcp host 10.11.13.61 any eq smtp log
access-list 103 remark FPGA Script
access-list 103 permit tcp host 10.11.13.62 any eq smtp log
access-list 103 remark Goodchild (Wireless)
access-list 103 permit tcp host 10.11.13.82 any eq smtp
access-list 103 remark Goodchild (Wired)
access-list 103 permit tcp host 10.11.13.188 any eq smtp
access-list 103 remark FPGA Script
access-list 103 permit tcp host 10.11.13.189 any eq smtp log
access-list 103 remark Goodchild Thunderbird
access-list 103 permit tcp host 10.11.13.210 any eq smtp
access-list 103 remark Canon
access-list 103 permit tcp host 10.11.14.2 any eq smtp log
access-list 103 remark Ricoh
access-list 103 permit tcp host 10.11.14.5 any eq smtp log
access-list 103 remark Goodchild Thunderbird (WLAN)
access-list 103 permit tcp host 10.11.14.134 any eq smtp
access-list 103 remark Goodchild Thunderbird (WLAN)
access-list 103 permit tcp host 10.11.14.135 any eq smtp log
access-list 103 remark Eng- CQ
access-list 103 permit tcp 10.11.13.0 0.0.0.255 any eq smtp
access-list 103 remark Lab- CQ
access-list 103 permit tcp 192.168.0.0 0.0.255.255 any eq smtp
access-list 103 deny tcp any any eq smtp log
access-list 103 deny ip 50.58.79.168 0.0.0.3 any
access-list 103 deny ip 172.16.250.0 0.0.0.3 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_20##
access-list 104 remark CCP_ACL Category=1
access-list 104 permit gre host 50.58.84.236 host 50.58.79.170
access-list 104 permit udp host 50.58.84.236 host 50.58.79.170 eq non500-isakmp
access-list 104 permit udp host 50.58.84.236 host 50.58.79.170 eq isakmp
access-list 104 permit udp host 85.93.125.201 host 50.58.79.170 eq isakmp
access-list 104 permit esp host 50.58.84.236 host 50.58.79.170
access-list 104 permit esp host 85.93.125.201 host 50.58.79.170
access-list 104 permit ahp host 50.58.84.236 host 50.58.79.170
access-list 104 permit ahp host 85.93.125.201 host 50.58.79.170
access-list 104 permit tcp any any established
access-list 104 permit tcp host 216.134.205.166 any
access-list 104 permit udp host 216.134.205.166 any
access-list 104 permit tcp host 24.106.197.100 any
access-list 104 permit udp host 24.106.197.100 any
access-list 104 permit tcp host 216.134.205.133 any
access-list 104 remark HANDEL NTP
access-list 104 permit udp any eq ntp any log
access-list 104 permit udp host 216.134.205.133 any
access-list 104 permit gre host 64.132.34.194 host 50.58.79.170
access-list 104 permit tcp any host 50.58.79.170 eq ftp
access-list 104 permit tcp any host 50.58.79.170 eq ftp-data
access-list 104 permit tcp any host 50.58.79.170 eq 1023
access-list 104 permit tcp any host 50.58.79.170 eq 1723
access-list 104 permit tcp any host 50.58.84.234 eq www
access-list 104 permit tcp any host 50.58.84.234 eq 443
access-list 104 permit tcp any host 50.58.79.170 eq www
access-list 104 permit tcp any host 50.58.79.170 eq 8080
access-list 104 permit tcp any host 50.58.79.170 eq 443
access-list 104 permit tcp any host 50.58.79.170 eq 8010
access-list 104 remark AD Self Service
access-list 104 permit tcp any host 50.58.79.170 eq 8888
access-list 104 remark Passive FTP
access-list 104 permit tcp any host 50.58.79.170 range 5201 5205
access-list 104 permit tcp any host 50.58.79.170 eq 51333
access-list 104 remark Auto generated by SDM for NTP (123) 207.250.222.200
access-list 104 permit udp host 207.250.222.200 eq ntp host 50.58.79.170 eq ntp
access-list 104 permit ahp host 64.132.34.194 host 50.58.79.170
access-list 104 permit esp host 64.132.34.194 host 50.58.79.170
access-list 104 permit udp host 64.132.34.194 host 50.58.79.170 eq isakmp
access-list 104 permit udp host 64.132.34.194 host 50.58.79.170 eq non500-isakmp
access-list 104 permit gre any host 50.58.79.170
access-list 104 permit udp any eq domain any
access-list 104 permit icmp any host 50.58.79.170 echo-reply
access-list 104 permit icmp any host 50.58.79.170 time-exceeded
access-list 104 permit icmp any host 50.58.79.170 unreachable
access-list 104 deny ip 172.16.100.0 0.0.0.3 any
access-list 104 deny ip 172.16.250.0 0.0.0.3 any
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.11.12.0 0.0.0.255 10.11.15.0 0.0.0.255
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.11.12.0 0.0.0.255 10.11.15.0 0.0.0.255
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.11.12.0 0.0.0.255 10.11.15.0 0.0.0.255
access-list 108 permit ip host 10.11.12.41 10.150.0.0 0.0.255.255
access-list 108 permit ip host 10.11.12.55 10.150.0.0 0.0.255.255
access-list 108 permit ip host 10.11.12.59 10.150.0.0 0.0.255.255
access-list 108 permit ip 192.168.0.0 0.0.255.255 10.150.0.0 0.0.255.255
!
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
!
control-plane
!
!
banner exec ^C
-------------------------
WARNING!
-------------------------
Unauthorized access prohibited!
Authorized access only.
This system is the property of Overture Networks Inc.
Disconnect IMMEDIATELY if you are not an authorized user!
Contact tac@overturenetworks.com or 1-888-ISG-TAC1 for help.
^C
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input ssh
!
scheduler allocate 20000 1000
end
Remote-End PIX:
ovn.sde.cz# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname ovn.sde.cz
domain-name sde.cz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network OVN_SUBNETS
network-object 10.11.12.41 255.255.255.255
network-object 10.11.12.55 255.255.255.255
network-object 10.11.12.59 255.255.255.255
network-object 192.168.0.0 255.255.0.0
object-group network SDE_SUBNETS
network-object 10.150.0.0 255.255.0.0
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit icmp any any source-quench
access-list 100 permit icmp any any echo-reply
access-list 60 permit ip object-group SDE_SUBNETS object-group OVN_SUBNETS
pager lines 24
logging on
logging buffered debugging
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 85.93.125.201 255.255.255.224
ip address inside 10.150.0.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
access-group 100 in interface inside
route outside 0.0.0.0 0.0.0.0 85.93.125.193 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set ovnset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set ovnset
crypto map OVN 1 ipsec-isakmp
crypto map OVN 1 match address 60
crypto map OVN 1 set peer 50.58.79.170
crypto map OVN 1 set transform-set ovnset
crypto map OVN interface outside
isakmp enable outside
isakmp key ******** address 50.58.79.170 netmask 255.255.255.255
isakmp log 100
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 90.178.250.228 255.255.255.255 outside
ssh 71.65.233.201 255.255.255.255 outside
ssh 10.150.0.0 255.255.0.0 inside
ssh timeout 60
management-access outside
console timeout 0
dhcpd auto_config outside
Cryptochecksum:8242528d7e7cdc4f4def9c0bef2433c7
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2012 01:31 PM
Please edit your previous comment and remove the pre-shared-keys from the Router's ouput, that's a high risk.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2012 01:39 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2012 01:55 PM
I'm not as familiar with PIX... When I enable those debugs I don't see anything. However, it seems like monitor logging is on and the following message keeps popping up within my session. I'm not sure how best to set up the logging.
PEER_REAPER_TIMERIPSEC(sa_initiate): invalid parameters
IPSEC(sa_initiate): invalid parameters
IPSEC(sa_initiate): invalid parameters
IPSEC(sa_initiate): invalid parameters
IPSEC(sa_initiate): invalid parameters
IPSEC(sa_initiate): invalid parameters
IPSEC(sa_initiate): invalid parameters
IPSEC(sa_initiate): invalid parameters
IPSEC(sa_initiate): invalid parameters
ovn.sde.cz(config)# sh logg
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 939 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide