Thanks for quick response and comments..much appreciated.

I did set some debug (this asa is running ver 7.0 (8). Below is the output. However this connectivity is only acheived when I use the following ACL:

access-list rogers_apn extended permit ip host 1.2.3.114 10.120.0.0 255.255.192.0

If I try using this ACL (the requirement is no NATing, because the remote side will drop connection) nothing happens:

access-list rogers_apn extended permit ip 10.160.129.48 255.255.255.240 10.120.0.0 255.255.192.0

So, I'm thinking that somewhere I messed-up either with the ACLs or the NAT statements.

Thanks again for your input.

MTREXFW02(config)# ping

Interface: external

Target IP address: 10.120.0.1

Repeat count: [5]

Datagram size: [100]

Timeout in seconds: [2]

Extended commands [n]: y

Verbose? [no]:

Validate reply data? [no]:

Data pattern [0xabcd]:

Sweep range of sizes [n]:

Sending 5, 100-byte ICMP Echos to 10.120.0.1, timeout is 2 seconds:

Jan 07 09:49:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 07 09:49:31 [IKEv1]: IP = 1.1.1.1, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 1.1.1.1  local Proxy Address 1.2.3.114, remote Proxy Address 10.120.0.0,  Crypto map (external_map)

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ISAKMP SA payload

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing NAT-Traversal VID ver 02 payload

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing NAT-Traversal VID ver 03 payload

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload

Jan 07 09:49:31 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Jan 07 09:49:31 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, processing SA payload

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ke payload

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing nonce payload

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Cisco Unity VID payload

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing xauth V6 VID payload

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, Send IOS VID

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing VID payload

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Jan 07 09:49:31 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256

Jan 07 09:49:31 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ke payload

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ISA_KE payload

Jan 07 09:49:31 [IKEv1 DEBUG]: IP = 1.1.1.1, processing nonce payload

Jan 07 09:49:31 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Generating keys for Initiator...

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing ID payload

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing hash payload

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing dpd vid payload

Jan 07 09:49:31 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 95

Jan 07 09:49:31 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP

Jan 07 09:49:31 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1

Jan 07 09:49:31 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Freeing previously allocated memory for authorization-dn-attributes

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Oakley begin quick mode

Jan 07 09:49:31 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED

Jan 07 09:49:31 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: None

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Starting phase 1 rekey timer: 64800000 (ms)

IPSEC: New embryonic SA created @ 0x03BB52B8,

    SCB: 0x03B2EE68,

    Direction: inbound

    SPI      : 0x3C855DA8

    Session ID: 0x00000001

    VPIF num  : 0x00000001

    Tunnel type: l2l

    Protocol   : esp

    Lifetime   : 240 seconds

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE got SPI from key engine: SPI = 0x3c855da8

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, oakley constucting quick mode

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing IPSec SA payload

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing IPSec nonce payload

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing proxy ID

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Transmitting Proxy Id:

  Local host:  1.2.3.114  Protocol 0  Port 0

  Remote subnet: 10.120.0.0  Mask 255.255.192.0 Protocol 0  Port 0

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload

Jan 07 09:49:31 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=f692f8f9) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184

Jan 07 09:49:31 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=f692f8f9) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing SA payload

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing nonce payload

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing notify payload

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, loading all IPSEC SAs

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Generating Quick Mode Key!

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Generating Quick Mode Key!

IPSEC: New embryonic SA created @ 0x03BF0AF8,

    SCB: 0x033C7F80,

    Direction: outbound

    SPI      : 0x3BA283F5

    Session ID: 0x00000001

    VPIF num  : 0x00000001

    Tunnel type: l2l

    Protocol   : esp

    Lifetime   : 240 seconds

IPSEC: Completed host OBSA update, SPI 0x3BA283F5

IPSEC: Creating outbound VPN context, SPI 0x3BA283F5

    Flags: 0x00000005

    SA   : 0x03BF0AF8

    SPI  : 0x3BA283F5

    MTU  : 1500 bytes

    VCID : 0x00000000

    Peer : 0x00000000

    SCB  : 0x033C7F80

    Channel: 0x01135E38

IPSEC: Completed outbound VPN context, SPI 0x3BA283F5

    VPN handle: 0x02EC1008

IPSEC: New outbound encrypt rule, SPI 0x3BA283F5

    Src addr: 1.2.3.114

    Src mask: 255.255.255.255

    Dst addr: 10.120.0.0

    Dst mask: 255.255.192.0

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 0

    Use protocol: false

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed outbound encrypt rule, SPI 0x3BA283F5

    Rule ID: 0x03C1B6C8

IPSEC: New outbound permit rule, SPI 0x3BA283F5

    Src addr: 1.2.3.114

    Src mask: 255.255.255.255

    Dst addr: 1.1.1.1

    Dst mask: 255.255.255.255

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 50

    Use protocol: true

    SPI: 0x3BA283F5

    Use SPI: true

IPSEC: Completed outbound permit rule, SPI 0x3BA283F5

    Rule ID: 0x03C1B730

Jan 07 09:49:31 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Security negotiation complete for LAN-to-LAN Group (1.1.1.1)  Initiator, Inbound SPI = 0x3c855da8, Outbound SPI = 0x3ba283f5

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, oakley constructing final quick mode

IPSEC: Completed host IBSA update, SPI 0x3C855DA8

IPSEC: Creating inbound VPN context, SPI 0x3C855DA8

    Flags: 0x00000006

    SA   : 0x03BB52B8

    SPI  : 0x3C855DA8

    MTU  : 0 bytes

    VCID : 0x00000000

    Peer : 0x02EC1008

    SCB  : 0x03B2EE68

    Channel: 0x01135E38

IPSEC: Completed inbound VPN context, SPI 0x3C855DA8

    VPN handle: 0x02EBCC30

IPSEC: Updating outbound VPN context 0x02EC1008, SPI 0x3BA283F5

    Flags: 0x00000005

    SA   : 0x03BF0AF8

    SPI  : 0x3BA283F5

    MTU  : 1500 bytes

    VCID : 0x00000000

    Peer : 0x02EBCC30

    SCB  : 0x033C7F80

    Channel: 0x01135E38

IPSEC: Completed outbound VPN context, SPI 0x3BA283F5

    VPN handle: 0x02EC1008

IPSEC: Completed outbound inner rule, SPI 0x3BA283F5

    Rule ID: 0x03C1B6C8

IPSEC: Completed outbound outer SPD rule, SPI 0x3BA283F5

    Rule ID: 0x03C1B730

IPSEC: New inbound tunnel flow rule, SPI 0x3C855DA8

    Src addr: 10.120.0.0

    Src mask: 255.255.192.0

    Dst addr: 1.2.3.114

    Dst mask: 255.255.255.255

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 0

    Use protocol: false

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed inbound tunnel flow rule, SPI 0x3C855DA8

    Rule ID: 0x03B63848

IPSEC: New inbound decrypt rule, SPI 0x3C855DA8

    Src addr: 1.1.1.1

    Src mask: 255.255.255.255

    Dst addr: 1.2.3.114

    Dst mask: 255.255.255.255

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 50

    Use protocol: true

    SPI: 0x3C855DA8

    Use SPI: true

IPSEC: Completed inbound decrypt rule, SPI 0x3C855DA8

    Rule ID: 0x03B01640

IPSEC: New inbound permit rule, SPI 0x3C855DA8

    Src addr: 1.1.1.1

    Src mask: 255.255.255.255

    Dst addr: 1.2.3.114

    Dst mask: 255.255.255.255

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 50

    Use protocol: true

    SPI: 0x3C855DA8

    Use SPI: true

IPSEC: Completed inbound permit rule, SPI 0x3C855DA8

    Rule ID: 0x03BBCAB8

Jan 07 09:49:31 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=f692f8f9) with payloads : HDR + HASH (8) + NONE (0) total length : 72

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE got a KEY_ADD msg for SA: SPI = 0x3ba283f5

Jan 07 09:49:31 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Pitcher: received KEY_UPDATE, spi 0x3c855da8

Jan 07 09:49:31 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Starting P2 Rekey timer to expire in 3420 seconds

Jan 07 09:49:31 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 2 COMPLETED (msgid=f692f8f9)

?????

Success rate is 0 percent (0/5)

Please first run :

packet-tracer input dmz icmp 10.160.129.49 1 1 10.120.0.1 detail

...and provide the output. It will validate that your configuration is properly setup to allow the traffic through (or highlight the error).

If packet-tracer end result is DROP, you will need to address the configuration error.

If packet-tracer end result is ALLOW, then please try to initiate actual traffic from your DMZ host 10.160.129.49 to destination 10.120.0.1 while debugging as above. That will validate end-to-end VPN is correctly setup.

You know...sometimes you just can't win.....

I need to be running at least v7.2(1) in order to use packet-tracer. I tried though...no luck

This ASA 5510 is running:

MTREXFW02(config)# sh ver

Cisco Adaptive Security Appliance Software Version 7.0(8)

Device Manager Version 5.0(8

I loaded your config in a virtual ASA (using GNS 3) running 8.0. (i'd been meaning to try to set up GNS3 anyhow. This gave me a good reason to do so )

When I run packet-tracer there I get:

MTREXFW02# packet-tracer input dmz icmp 10.160.129.49 1 1 10.120.0.1 detail

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.120.0.0      255.255.192.0   external

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd9503b50, priority=11, domain=permit, deny=true

        hits=0, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: external

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

MTREXFW02#

It is telling me that the implicit deny all is blocking it. However, since I'm only emulating one end, I am not able to have the other end up and thus have a good tunnel that can catch the flow as would normally be expected as the result of your command:

crypto map external_map 20 match address rogers_apn

If the tunnel were active, that line would force the traffic to hit:

access-list rogers_apn extended permit ip 10.160.129.48 255.255.255.240 10.120.0.0 255.255.192.0

access-list rogers_apn extended permit ip host 1.2.3.114 10.120.0.0 255.255.192.0

I know you can't run packet-tracer. But, can you initiate traffic from your DMZ host to see if it brings the tunnel up?

You might also want to consider moving onto ASA software of a more recent vintage.

Hey that's awesome! I've loaded up GNS3 but I was having difficulty getting the asa images loaded. So I abandoned that for the time. Or at least when I have more time.

And yes..I know an update is way past due, but when you inherit an infrastructure and literally thousands of dollar$ in business contracts riding on getting this connection going, it's hard to convince the client that an upgrade is required. As for deadline to have this working..that was last Thursday. Ahh.. well I wouldn't do it if I didn't love it

Once the vpn is working then we would do the upgrade not to mention renew the support.

Now the issue I have is - why doesn't this access list work?

access-list rogers_apn extended permit ip 10.160.129.48 255.255.255.240 10.120.0.0 255.255.192.0

The business requirement is no NATing, so they (remote telco) wants the no-NAT rule to exclude NATing over the vpn. But somehow I can't seem to get it to work with the cureent configs. So either I have conflicting ACLs or NAT statements or incorrect entries.

This setup on my side does not actually have any physical hosts sending or receiving traffic but it is to be used with a mobile solution (M2M = Machine-to-Machine). Mobile termnals will  pass traffic via the tunnel.

Your results indicate that I must have a DMZ configuration issue. Does my DMZ configs look correct?

Thanks again.

P.S.

I did some config clean-up. Can you re-run in GNS3 to see if the result is still the same? The remote peer btw is a CheckPoint device (R7 I think)

MTREXFW02# sh run

: Saved

ASA Version 7.0(8)

hostname MTREXFW02

domain-name cisco.com

enable password N8iVIoABOjhNrEKz encrypted

passwd 2NOok0J6OZxGHfk3 encrypted

names

dns-guard

!

interface Ethernet0/0

nameif external

security-level 0

ip address 1.2.3.114 255.255.255.240

!

interface Ethernet0/1

nameif internal

security-level 100

ip address 10.10.11.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 10.160.129.50 255.255.255.0

!            

interface Ethernet0/3

speed 100

duplex half

nameif rogers1

security-level 75

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.100.1 255.255.255.0

management-only

!

banner motd * This system is the property of Mtrex Networks.  Any unathorized access is prohibited and all prosecutor will be fined and/or punished to the fullest extent of the law*

ftp mode passive

dns domain-lookup external

dns domain-lookup internal

dns domain-lookup DMZ

dns domain-lookup management

dns name-server x.y.z.21

dns name-server x.y.z.53

dns name-server a.b.c.198

access-list rogers_apn extended permit ip 10.160.129.48 255.255.255.240 10.120.0.0 255.255.192.0

access-list dmz_access_in extended permit ip 10.120.0.0 255.255.192.0 10.160.129.48 255.255.255.240

access-list inside_nat0_outbound extended permit ip 10.10.11.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.80.0.0 255.255.254.0 10.10.1.0 255.255.255.0

access-list 110 extended permit ip any any

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any source-quench

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit ip 10.120.0.0 255.255.192.0 10.160.129.48 255.255.255.240

access-list capture1 extended permit udp any any eq isakmp

access-list apn-nonat extended permit ip 10.160.129.48 255.255.255.240 10.120.0.0 255.255.192.0

access-list dmz-internet extended permit ip 10.160.129.48 255.255.255.240 any

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu external 1500

mtu internal 1500

mtu DMZ 1500

mtu management 1500

mtu rogers1 1500

ip local pool vpnpool 192.168.20.100-192.168.20.150 mask 255.255.255.0

no failover

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (external) 10 interface

nat (internal) 0 access-list inside_nat0_outbound

nat (internal) 10 access-list 110

nat (DMZ) 0 access-list apn-nonat

nat (DMZ) 10 access-list dmz-internet

access-group 100 in interface external

access-group dmz_access_in in interface DMZ

route external 0.0.0.0 0.0.0.0 1.2.3.113 1

route internal 10.64.0.0 255.248.0.0 10.10.11.2 1

route internal 10.80.0.0 255.248.0.0 10.10.11.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username tech password u7alYakuPBrygkxj encrypted

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 5000

crypto dynamic-map external_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map external_dyn_map 10 set security-association lifetime seconds 288000

crypto dynamic-map external_dyn_map 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map external_dyn_map 10 set reverse-route

crypto map external_map 20 match address rogers_apn

crypto map external_map 20 set peer 1.1.1.1

crypto map external_map 20 set transform-set ESP-3DES-MD5

crypto map external_map 20 set security-association lifetime seconds 3600

crypto map external_map 20 set security-association lifetime kilobytes 5000

crypto map external_map 65535 ipsec-isakmp dynamic external_dyn_map

crypto map external_map interface external

isakmp enable external

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 43200

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal  20

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

isakmp keepalive disable

telnet 10.10.11.0 255.255.255.0 internal

telnet 192.168.100.0 255.255.255.0 internal

telnet 192.168.20.0 255.255.255.0 internal

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 external

ssh timeout 5

console timeout 0

management-access internal

dhcpd address 192.168.100.2-192.168.100.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!            

service-policy global_policy global

Cryptochecksum:6824d7e5223143f7853a07cf35b9123a

: end

MTREXFW02#

I relaoded GNS 3 with your updated config. No change to packet-tracer output.

I also got even more ambitious and setup a virtualbox host so I could run ASDM against it. For me it sometimes helps to see the NAT rules and such graphically.

I think, at best you have some overlapping/conflicting rules in the DMZ. I'm not sure of the end effect, but if you look at the graphic I've inserted, you see the dynamic policy NAT rules after the NAT exempt which seem to be at odds with one another:

I'm not sure of the net effect but it seems incorrect.

I believe I got rid of that conflict. Thanks for pointing it out.

The following results were obtained when I include the public ip address of our firewall. It seems that the crypto ACLs for the local network (dmz) is not being used - based on the ACL hits below.

Does this indicate that the remote peer is using a crypto ACL that does not match-up with mine?

If so, why am I still able to get the vpn up ? Well at least to some extent.

Also under the "crypto ipsec stats" - there's a "Responder fails = 66"

Is this the remote peer not being able to return traffic or dropping traffic? I think it's dropping the traffic since the admin on that side said I was source NATing. Which I'm since that's the only way to get any sort of connection going. Which brings me to the same question above....are the crypto ACLs mismatched?

Thanks again for your great efforts and time.

MTREXFW02(config)# ping
Interface: external
Target IP address: 10.120.0.1
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]: y
Verbose? [no]: y
Validate reply data? [no]:
Data pattern [0xabcd]:
Sweep range of sizes [n]:
Sending 5, 100-byte ICMP Echos to 10.120.0.1, timeout is 2 seconds:

Unknown echo response type 0x20
Unknown echo response type 0x20
Unknown echo response type 0x20
Unknown echo response type 0x20
Unknown echo response type 0x20
Success rate is 0 percent (0/5)
MTREXFW02(config)# sh crypto ipsec sa
interface: external
Crypto map tag: external_map, seq num: 20, local addr: 1.2.3.114

access-list rogers_apn permit ip host 1.2.3.114 10.120.0.0 255.255.192.0
local ident (addr/mask/prot/port): (1.2.3.114/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.120.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 1.2.3.114, remote crypto endpt.: 1.1.1.1

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 56FE55A0

inbound esp sas:
spi: 0x9FAC71E3 (2678878691)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: external_map
sa timing: remaining key lifetime (kB/sec): (4638/3585)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x56FE55A0 (1459508640)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: external_map
sa timing: remaining key lifetime (kB/sec): (4637/3577)
IV size: 8 bytes
replay detection support: Y

MTREXFW02(config)# sh crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

MTREXFW02(config)# sh crypto isakmp stats

Global IKE Statistics
Active Tunnels: 1
Previous Tunnels: 137663
In Octets: 75048736
In Packets: 551555
In Drop Packets: 764
In Notifys: 0
In P2 Exchanges: 137626
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 137624
In P2 Sa Delete Requests: 0
Out Octets: 82668532
Out Packets: 689197
Out Drop Packets: 0
Out Notifys: 138362
Out P2 Exchanges: 38
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 39
Initiator Tunnels: 37
Initiator Fails: 0
Responder Fails: 66 {what does mean ????}
System Capacity Fails: 0
Auth Fails: 66
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 738
MTREXFW02(config)# sh vpn-sessiondb detail l2l

Session Type: LAN-to-LAN Detailed

Connection : 1.1.1.1
Index : 1 IP Addr : 1.1.1.1
Protocol : IPSecLAN2LAN Encryption : 3DES
Hashing : MD5
Bytes Tx : 0 Bytes Rx : 400
Login Time : 10:20:03 UTC Sun Jan 8 2012
Duration : 0h:07m:35s
Filter Name :

IKE Sessions: 1 IPSec Sessions: 1

IKE:
Session ID : 1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : 3DES Hashing : MD5
Rekey Int (T): 86400 Seconds Rekey Left(T): 85946 Seconds
D/H Group : 2

IPSec:
Session ID : 2
Local Addr : 1.2.3.114/255.255.255.255/0/0
Remote Addr : 10.120.0.0/255.255.192.0/0/0
Encryption : 3DES Hashing : MD5
Encapsulation: Tunnel
Rekey Int (T): 3600 Seconds Rekey Left(T): 3146 Seconds
Rekey Int (D): 4638 K-Bytes Rekey Left(D): 4638 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 23 Minutes
Bytes Tx : 0 Bytes Rx : 400
Pkts Tx : 0 Pkts Rx : 4 MTREXFW02(config)# sh acc

MTREXFW02(config)# sh crypto protocol statistics ikev1
[IKEv1 statistics]
Encrypt packet requests: 413066
Encapsulate packet requests: 413066
Decrypt packet requests: 275329
Decapsulate packet requests: 275329
HMAC calculation requests: 1652342
SA creation requests: 137663
SA rekey requests: 0
SA deletion requests: 137729
Next phase key allocation requests: 80
Random number generation requests: 0
Failed requests: 0
MTREXFW02(config)# sh crypto protocol statistics ikev2
[IKEv2 statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0

MTREXFW02(config)# sh crypto protocol statistics ipsec
[IPsec statistics]
Encrypt packet requests: 234
Encapsulate packet requests: 234
Decrypt packet requests: 1788
Decapsulate packet requests: 1788
HMAC calculation requests: 2022
SA creation requests: 80
SA rekey requests: 0
SA deletion requests: 78
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 18
MTREXFW02(config)# sh access-list rogers_apn
access-list rogers_apn; 2 elements
access-list rogers_apn line 1 extended permit ip 10.160.129.48 255.255.255.240 10.120.0.0 255.255.192.0 (hitcnt=0)
access-list rogers_apn line 2 extended permit ip host 1.2.3.114 10.120.0.0 255.255.192.0 (hitcnt=4)
MTREXFW02(config)# sh acc
MTREXFW02(config)# sh access-list apn-nonat
access-list apn-nonat; 1 elements
access-list apn-nonat line 1 extended permit ip 10.160.129.48 255.255.255.240 10.120.0.0 255.255.192.0 (hitcnt=0)
MTREXFW02(config)# sh acc
MTREXFW02(config)# sh access-list dmz_access_in
access-list dmz_access_in; 1 elements
access-list dmz_access_in line 1 extended permit ip 10.160.129.48 255.255.255.240 10.120.0.0 255.255.192.0 (hitcnt=0)
MTREXFW02(config)# sh acc
MTREXFW02(config)# sh access-list 100
access-list 100; 5 elements
access-list 100 line 1 extended permit icmp any any echo-reply (hitcnt=676441)
access-list 100 line 2 extended permit icmp any any time-exceeded (hitcnt=319)
access-list 100 line 3 extended permit icmp any any source-quench (hitcnt=0)
access-list 100 line 4 extended permit icmp any any unreachable (hitcnt=298)
access-list 100 line 5 extended permit ip 10.120.0.0 255.255.192.0 10.160.129.48 255.255.255.240 (hitcnt=0)
MTREXFW02(config)# sh nat

NAT policies on Interface internal:
match ip internal 10.10.11.0 255.255.255.0 external 192.168.20.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 10.80.0.0 255.255.254.0 external 10.10.1.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 10.10.11.0 255.255.255.0 internal 192.168.20.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 10.80.0.0 255.255.254.0 internal 10.10.1.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 10.10.11.0 255.255.255.0 DMZ 192.168.20.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 10.80.0.0 255.255.254.0 DMZ 10.10.1.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 10.10.11.0 255.255.255.0 management 192.168.20.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 10.80.0.0 255.255.254.0 management 10.10.1.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 10.10.11.0 255.255.255.0 rogers1 192.168.20.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal 10.80.0.0 255.255.254.0 rogers1 10.10.1.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip internal any external any
dynamic translation to pool 10 (1.2.3.114 [Interface PAT])
translate_hits = 839713, untranslate_hits = 396624
match ip internal any internal any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip internal any DMZ any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip internal any management any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip internal any rogers1 any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0

NAT policies on Interface DMZ:
match ip DMZ 10.160.129.48 255.255.255.240 external 10.120.0.0 255.255.192.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip DMZ 10.160.129.48 255.255.255.240 DMZ 10.120.0.0 255.255.192.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
MTREXFW02(config)# sh route

S 0.0.0.0 0.0.0.0 [1/0] via 1.2.3.113, external
C 10.10.11.0 255.255.255.0 is directly connected, internal
S 10.64.0.0 255.248.0.0 [1/0] via 10.10.11.2, internal
S 10.80.0.0 255.248.0.0 [1/0] via 10.10.11.2, internal
C 10.160.129.48 255.255.255.240 is directly connected, DMZ
C 1.2.3.112 255.255.255.240 is directly connected, external
MTREXFW02(config)#

Minor changes done to configs:

MTREXFW02# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname MTREXFW02
domain-name cisco.com
enable password N8iVIoABOjhNrEKz encrypted
passwd 2NOok0J6OZxGHfk3 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif external
security-level 0
ip address 1.2.3.114 255.255.255.240
!
interface Ethernet0/1
nameif internal
security-level 100
ip address 10.10.11.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.160.129.50 255.255.255.240
!
interface Ethernet0/3
speed 100
duplex half
nameif rogers1
security-level 75
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
banner motd * This system is the property of Mxxx Networks. Any unathorized access is prohibited and all prosecutor will be fined and/or punished to the fullest extent of the law*
ftp mode passive
dns domain-lookup external
dns domain-lookup internal
dns domain-lookup DMZ
dns domain-lookup management
dns name-server x.y.z.21
dns name-server x.y.z.53
dns name-server a.b.c.198
access-list rogers_apn extended permit ip 10.160.129.48 255.255.255.240 10.120.0.0 255.255.192.0
access-list rogers_apn extended permit ip host 1.2.3.114 10.120.0.0 255.255.192.0
access-list dmz_access_in extended permit ip 10.160.129.48 255.255.255.240 10.120.0.0 255.255.192.0
access-list inside_nat0_outbound extended permit ip 10.10.11.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.80.0.0 255.255.254.0 10.10.1.0 255.255.255.0
access-list 110 extended permit ip any any
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any source-quench
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit ip 10.120.0.0 255.255.192.0 10.160.129.48 255.255.255.240
access-list capture1 extended permit udp any any eq isakmp
access-list apn-nonat extended permit ip 10.160.129.48 255.255.255.240 10.120.0.0 255.255.192.0
access-list dmz-internet extended permit ip 10.160.129.48 255.255.255.240 10.120.0.0 255.255.192.0
access-list capture extended permit ip 10.160.129.48 255.255.255.240 10.120.0.0 255.255.192.0
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu external 1500
mtu internal 1500
mtu DMZ 1500
mtu management 1500
mtu rogers1 1500
ip local pool vpnpool 192.168.20.100-192.168.20.150 mask 255.255.255.0
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (external) 10 interface
nat (internal) 0 access-list inside_nat0_outbound
nat (internal) 10 access-list 110
nat (DMZ) 0 access-list apn-nonat
access-group 100 in interface external
access-group dmz_access_in in interface DMZ
route external 0.0.0.0 0.0.0.0 1.2.3.113 1
route internal 10.64.0.0 255.248.0.0 10.10.11.2 1
route internal 10.80.0.0 255.248.0.0 10.10.11.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username tech password u7alYakuPBrygkxj encrypted
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable

Since you don't have a host in the DMZ you can use, try your ping from source interface DMZ (not external as you did above):

MTREXFW02(config)# ping

Interface: DMZ

Target IP address: 10.120.0.1

That should validate your DMZ nonat rules and DMZ-remote site IPSec VPN ability.