07-17-2014 09:19 AM
Hello,
I'm new to cisco and need to have these changes made to the vpn tunnel. Can anyone help:
What command would one type to add these configs in. An existing VPN config exists and I am just making some mods:
Phase 1 (Isakmp)
IKE Mode: Main (not aggressive)
Authentication: Pre-Shared
Encryption: AES-192
Hash: SHA
DH: 2
Lifetime: 43200
Pre-shared Key: *******
Phase2 (IPSec)
protocol: esp
encryption: AES-256
authentication: SHA
Lifetime: 28800
PFS: Enabled, Group 2
Thanks,
Derek
07-17-2014 09:37 AM
Hi,
Phase1 configurations are not tied to any specific VPN connection. The ISAKMP/Phase1 policy that is chosen is based on what priority the policy is configured at. So we would need to see the output of the following command from your ASA to determine what configurations are needed.
show run crypto
- Jouni
07-17-2014 09:39 AM
Hi Derek,
Here are the commands. Please use Ikev1/Isakmp according to the ASA codes.
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 43200
crypto ipsec ikev1 transform-set ESP-ASE-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 set security-association lifetime 28800
crypto map outside_map 10 set security-association transform-set ESP-ASE-256-SHA
crypto map outside_map 10 set pfs group2
tunnel-group <peer-ip> type ipsec-l2l
tunnel-group <peer-ip> ipsec-attributes
ikev1 pre-shared-key *****
or
tunnel-group <peer-ip> type ipsec-l2l
tunnel-group <peer-ip> ipsec-attributes
pre-shared-key *****
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-17-2014 10:54 AM
ciscoasa# show run crypto
crypto ipsec transform-set vpn esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside 10 match address vpn
crypto map outside 10 set peer 216.117.40.14
crypto map outside 10 set transform-set vpn
crypto map outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 43200
07-17-2014 11:00 AM
Hi,
Seems to me that the above configurations are mostly what you are looking for.
You would need to add this however
crypto map outside 10 set pfs group2
To match the Phase2 settings you mentioned in the original post.
You can naturally also add this
crypto map outside 10 set security-association lifetime seconds 28800
- Jouni
07-17-2014 11:08 AM
Thanks Jouni,
How can this be tested? I am assuming I should be able to ping that remote peer in config t mode and have that be successful? Just curious how to test this..
I can't seem to ping the remote peer.. see my other post below for this:
Maybe the static 1:1 NAT isn't configured?? I'm thinking I should be able to ping both 10.1.12.164 and 216.117.40.14.
Remote Peer IP: 216.117.40.14
Remote Network: 192.168.50.0/24, 10.10.3.0/24
Your Local Network: n/a
Interesting Traffic = your single host is trying to talk to our side.
Will need to create a static, 1:1 policy NAT of interesting traffic to host 10.1.12.164
Will need to make an IPSec ACL from host 10.1.12.164 to 192.168.50.0/24
Will need to make an IPSec ACL from host 10.1.12.164 to 10.10.3.0/24
07-17-2014 11:11 AM
So if the VPN settings are now correct is there a reboot command or clear command to ensure the old stuff is not in memory? or a command to show this vpn tunnel is successfully up?
07-17-2014 11:23 AM
Hi,
The remote VPN device does not necesarily reply to ICMP traffic. It might block such traffic from any source IP address.
You can try the "packet-tracer" to initiate the VPN negotiation. You have to choose the source and destination IP address into the command that are supposed to use the L2L VPN connection
packet-tracer input inside tcp <internal source ip> 12345 <destination remote ip> <destination port>
Issue this command twice and see what the VPN Phase of the output say on the second try of issuing the above command. The first "packet-tracer" commands output will always result in a VPN Phase DROP (unless some traffic has already brought up the VPN connection) while the second time you issue the command the L2L VPN connection should already be up.
Notice that if you are doing NAT for your internal IP address you will still use the local/real IP address in the "packet-tracer" command as the source IP.
If you want to easily log off VPN connections you can always log in with the ASDM to the ASA and go to the Monitor / VPN section and list the L2L VPN connections and log off the VPN connection if its listed there.
- Jouni
07-17-2014 11:53 AM
Yes I had issues ever getting ASDM installed. My remote machine is a mac and the onsite machines are windows server.. but never really got that app to function. I'll try the packet-tracer
07-17-2014 12:02 PM
Hi,
I think the command corresponding to the ASDM log off button is the following
vpn-sessiondb logoff ipaddress <remote peer ip>
- Jouni
07-17-2014 12:07 PM
ciscoasa# packet-tracer input inside tcp 10.1.12.164 80 216.117.40.14 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (99.24.60.86 [Interface PAT])
translate_hits = 4937324, untranslate_hits = 908569
Additional Information:
Dynamic translate 10.1.12.164/80 to 99.24.60.86/42 using netmask 255.255.255.255
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6868761, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
07-17-2014 12:13 PM
Hi,
You are using the wrong IP addresses. You should use the actual host IP addresses that fit into the ACL used for the L2L VPN. And as I said you will use the real/local IP address as the source.
So it would be something like this for example
packet-tracer input inside tcp 192.168.1.2 12345 192.168.50.100 80
I think the above source IP was listed in some of your other posts. The destination IP address and port are just some that fit the remote network in the L2L VPN configuration.
Remember to issue the "packet-tracer" command twice.
- Jouni
07-17-2014 12:25 PM
Forgot that. Here is the output issued back to back:
ciscoasa# packet-tracer input inside tcp 192.168.1.2 12345 192.168.50.100 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) 10.1.12.164 access-list nat
match ip inside host 192.168.1.2 outside 192.168.50.0 255.255.255.0
static translation to 10.1.12.164
translate_hits = 1, untranslate_hits = 0
Additional Information:
Static translate 192.168.1.2/0 to 10.1.12.164/0 using netmask 255.255.255.255
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
match tcp inside host 192.168.1.2 eq 3389 outside any
static translation to 99.24.60.86/3389
translate_hits = 214, untranslate_hits = 216877
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# packet-tracer input inside tcp 192.168.1.2 12345 192.168.50.100 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) 10.1.12.164 access-list nat
match ip inside host 192.168.1.2 outside 192.168.50.0 255.255.255.0
static translation to 10.1.12.164
translate_hits = 2, untranslate_hits = 0
Additional Information:
Static translate 192.168.1.2/0 to 10.1.12.164/0 using netmask 255.255.255.255
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
match tcp inside host 192.168.1.2 eq 3389 outside any
static translation to 99.24.60.86/3389
translate_hits = 214, untranslate_hits = 216877
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
07-17-2014 12:34 PM
Hi,
Seems to me that the "packet-tracer" test matches the correct Static Policy NAT rule.
It would seem to suggest that the VPN configurations dont match between this site and the remote site. Or perhaps the remote site has not configured their side yet.
If you issue the same "packet-tracer" command once or twice then issue the command "show crypto isakmp sa" it should show us if the Phase1 goes throuhg. You should see the remote VPN device IP address in the output and if the Phase1 goes through you should be seeing "MM_ACTIVE" listed.
If you can see that then the problem is probably in the Phase2 configurations in the Crypto Map that you can list with "show run crypto map"
- Jouni
07-17-2014 12:37 PM
ciscoasa# show crypto isakmp sa
There are no isakmp sas
ciscoasa#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide