cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2439
Views
0
Helpful
3
Replies
Highlighted
Beginner

VPN Not coming up

I am trying to configure a VPN between my Cisco ASA 5506 and a local hopsital that is using a Juniper device. below are the settings they gave me for the VPN and i have configured the cisco to the best of my knowledge but when i run command Show Crypto Isakmp SA i get "  There are no IKEV1 SA's"

Can some please tell me what is wrong ? i removed the last octect of the IPs for security but i have double checked those are correct and also the preshared key is correct. 

Remote side Settings

IP: 64.183.170.xxx

ike authentication-method pre-shared-keys

ike authentication algorithm md5

ike encryption algorithm 3des-cbc

ike lifetime-seconds 86400

ipsec protocol esp

ipsec authentication-algorithm hmac-sha1-96

ipsec encryption-algorithm 3des-cbc

ipsec lifetime-seconds 86400 

Here is my show run for my Cisco ASA! Please Help !!

!
ASA Version 9.6(1)

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 64.183.35.xx 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 172.12.48.x 255.255.255.0
!
ftp mode passive
clock timezone MST -7
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network OBJ-INSIDE-NETWORKS
network-object 172.12.48.0 255.255.255.0
access-list ACL-OUTSIDE-IN extended permit icmp any any echo-reply
access-list ACL-OUTSIDE-IN extended deny ip any any
access-list ACL-INSIDE-IN extended permit ip object-group OBJ-INSIDE-NETWORKS any
access-list ACL-INSIDE-IN extended deny ip any any
access-list outside_1_cryptomap extended permit ip 172.12.48.0 255.255.255.0 10.0.6.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group ACL-OUTSIDE-IN in interface outside
access-group ACL-INSIDE-IN in interface inside
route outside 0.0.0.0 0.0.0.0 64.183.35.xx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set hmac-sha1-96 esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 64.183.170.xxx
crypto map outside_map 1 set ikev1 transform-set hmac-sha1-96
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 64.183.175.xxx 255.255.255.255 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 209.18.47.61
dhcpd auto_config outside
!
dhcpd address 172.12.48.xx-172.12.48.xxx inside
dhcpd enable inside
!
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 64.183.170.xxx type ipsec-l2l
tunnel-group 64.183.170.xxx ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:101abd60a80644491824a922cb5de49a

Here is the Show Crypto isakmp 

ochoa# show crypto isakmp

There are no IKEv1 SAs

There are no IKEv2 SAs

Global IKEv1 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 74880
In Packets: 260
In Drop Packets: 260
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 21816
Out Packets: 202
Out Drop Packets: 0
Out Notifys: 202
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 202
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 50
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 1
In-Negotiation SAs Rejected: 0

Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0

IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 12
Cookie Challenge Threshold: Never
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0

Global IKEv1 IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

You already have an object for your inside networks. So add one for the remote networks and then a NAT rule that says any traffic headed to them via the outside interface keeps its original source and destination adresses.

Try something like what I've shown below:

object-group network OBJ-REMOTE-NETWORKS
network-object 10.0.6.0 255.255.255.0

nat (inside,outside) source static OBJ-INSIDE-NETWORKS OBJ-INSIDE-NETWORKS destination static OBJ-REMOTE-NETWORKS OBJ-REMOTE-NETWORKS  no-proxy-arp route-lookup

View solution in original post

3 REPLIES 3
Highlighted
Hall of Fame Guru

You haven't exempted the VPN traffic from NAT. without that, the packets won't arrive with their expected IPs at the distant end. Phase 1 will time out waiting for Phase 2 to establish.

Once you do that and then introduce new interesting traffic, you should see the Phase 1 and Phase 2 SAs establish.

Highlighted

based on the config shown could you tell me the commands i need to run to do the nat exemption ? 

Highlighted

You already have an object for your inside networks. So add one for the remote networks and then a NAT rule that says any traffic headed to them via the outside interface keeps its original source and destination adresses.

Try something like what I've shown below:

object-group network OBJ-REMOTE-NETWORKS
network-object 10.0.6.0 255.255.255.0

nat (inside,outside) source static OBJ-INSIDE-NETWORKS OBJ-INSIDE-NETWORKS destination static OBJ-REMOTE-NETWORKS OBJ-REMOTE-NETWORKS  no-proxy-arp route-lookup

View solution in original post