- Cisco Community
- Technology and Support
- Security
- VPN
- VPN site-to-site between ASA 5505 and 2911
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2012 06:05 PM
Hi all,
I'm trying to setup VPN S2S. Office router 2911 ip a.a.a.a, remote office ASA 5505 8.4(3) with ip b.b.b.b, but no luck.
2911 config:
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2911
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.152-2.T.bin
boot-end-marker
!
!
security passwords min-length 10
logging buffered 51200 warnings
!
no aaa new-model
!
!
ipv6 spd queue min-threshold 62
ipv6 spd queue max-threshold 63
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.22.1 192.168.22.99
ip dhcp excluded-address 192.168.33.1 192.168.33.99
ip dhcp excluded-address 192.168.44.1 192.168.44.99
ip dhcp excluded-address 192.168.55.1 192.168.55.99
ip dhcp excluded-address 192.168.10.240 192.168.10.254
ip dhcp excluded-address 192.168.22.240 192.168.22.254
ip dhcp excluded-address 192.168.33.240 192.168.33.254
ip dhcp excluded-address 192.168.44.240 192.168.44.254
ip dhcp excluded-address 192.168.55.240 192.168.55.254
!
ip dhcp pool desktops
import all
network 192.168.33.0 255.255.255.0
default-router 192.168.33.254
dns-server 192.168.10.10 202.50.246.41 202.50.246.42
domain-name local
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
ip dhcp pool wi-fi
import all
network 192.168.44.0 255.255.255.0
dns-server 192.168.10.10 202.50.246.41 202.50.246.42
domain-name local
default-router 192.168.44.254
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
ip dhcp pool DMZ
import all
network 192.168.55.0 255.255.255.0
dns-server 192.168.10.10 202.50.246.41 202.50.246.42
domain-name local
default-router 192.168.55.254
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
ip dhcp pool voip
import all
network 192.168.22.0 255.255.255.0
dns-server 192.168.10.10 202.50.246.41 202.50.246.42
domain-name local
default-router 192.168.22.254
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
ip dhcp pool servers
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 192.168.10.10 202.50.246.41 202.50.246.42
domain-name local
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
!
ip domain name domain
ip name-server 192.168.10.10
ip cef
login block-for 180 attempts 3 within 180
login delay 10
vlan ifdescr detail
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3956567439
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3956567439
revocation-check none
rsakeypair TP-self-signed-3956567439
!
!
crypto pki certificate chain TP-self-signed-3956567439
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
license udi pid CISCO2911/K9 sn
!
!
object-group network FULL_NET
description complete network range
192.168.10.0 255.255.255.0
192.168.11.0 255.255.255.0
192.168.22.0 255.255.255.0
192.168.33.0 255.255.255.0
192.168.44.0 255.255.255.0
!
object-group network limited
description network without Servers and Router
192.168.22.0 255.255.255.0
192.168.33.0 255.255.255.0
192.168.44.0 255.255.255.0
!
vtp version 2
username admin privilege 0 password 7 password
!
redundancy
!
!
!
!
!
no ip ftp passive
!
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
crypto isakmp key admin address b.b.b.b
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set SET esp-aes esp-sha-hmac
!
!
!
crypto map MAP 10 ipsec-isakmp
set peer b.b.b.b
set transform-set SET
match address 160
!
!
!
!
!
interface Port-channel1
no ip address
hold-queue 150 in
!
interface Port-channel1.1
encapsulation dot1Q 1 native
ip address 192.168.11.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.10
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.22
encapsulation dot1Q 22
ip address 192.168.22.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.33
encapsulation dot1Q 33
ip address 192.168.33.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.44
encapsulation dot1Q 44
ip address 192.168.44.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.55
encapsulation dot1Q 55
ip address 192.168.55.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
channel-group 1
!
interface GigabitEthernet0/2
description $ES_LAN$
no ip address
duplex auto
speed auto
channel-group 1
!
interface GigabitEthernet0/0/0
ip address a.a.a.a 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map MAP
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0 overload
ip nat inside source static udp a.a.a.a 500 interface GigabitEthernet0/0/0 500
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
ip access-list extended NAT_INTERNET
deny ip object-group FULL_NET 192.168.17.0 0.0.0.255
deny ip object-group FULL_NET 192.168.1.0 0.0.0.255
permit ip object-group FULL_NET any
!
access-list 1 permit 192.168.44.100
access-list 23 permit 192.168.10.7
access-list 23 permit 192.168.44.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
!
!
!
control-plane
!
!
!
line con 0
password 7 password
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end
ASA config:
: Saved : ASA Version 8.4(3) ! hostname C domain-name domain enable password password encrypted passwd passwd encrypted names ! interface Ethernet0/0 ! interface Ethernet0/1 shutdown ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 switchport access vlan 100 ! interface Ethernet0/6 switchport trunk allowed vlan 2,6 switchport mode trunk ! interface Ethernet0/7 shutdown ! interface Vlan1 description INTERNET mac-address 1234.5678.0001 nameif WAN security-level 0 ip address b.b.b.b 255.255.255.248 standby c.c.c.c ospf cost 10 ! interface Vlan2 description OLD-PRIVATE mac-address 1234.5678.0102 nameif OLD-Private security-level 100 ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3 ospf cost 10 ! interface Vlan6 description MANAGEMENT mac-address 1234.5678.0106 nameif Management security-level 100 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 ospf cost 10 ! interface Vlan100 description LAN Failover Interface ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone NZST 12 clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00 dns domain-lookup WAN dns server-group DefaultDNS name-server 208.67.222.222 domain-name domain same-security-traffic permit intra-interface object network obj-192.168.17.0 subnet 192.168.17.0 255.255.255.0 object network obj-192.168.10.0 subnet 192.168.10.0 255.255.255.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network obj-192.168.9.0 subnet 192.168.9.0 255.255.255.0 object network obj-192.168.33.0 subnet 192.168.33.0 255.255.255.0 object network obj-192.168.44.0 subnet 192.168.44.0 255.255.255.0 object network obj_any object network obj_any-01 object network NETWORK_OBJ_192.168.10.0_24 subnet 192.168.10.0 255.255.255.0 object network NETWORK_OBJ_192.168.17.0_24 subnet 192.168.17.0 255.255.255.0 object network subnet-00 subnet 0.0.0.0 0.0.0.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service RDP tcp description RDP port-object eq 3389 object-group network DM_INLINE_NETWORK_1 network-object 192.168.17.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network DM_INLINE_NETWORK_2 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network subnet-17 network-object 192.168.17.0 255.255.255.0 object-group network subnet-2 network-object 192.168.2.0 255.255.255.0 object-group network subnet-9 network-object 192.168.9.0 255.255.255.0 object-group network subnet-10 network-object 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP standard permit 192.168.17.0 255.255.255.0 access-list WAN_access_in extended permit ip any any log debugging access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging access-list WAN_access_in extended permit icmp x.x.x.x 255.255.255.248 192.168.10.0 255.255.255.0 access-list MANAGEMENT_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit icmp any object-group DM_INLINE_NETWORK_1 access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list CiscoVPNClient_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0 access-list LAN_access_in extended permit ip any any log debugging access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging enable logging buffer-size 52000 logging monitor informational logging trap informational logging asdm informational logging from-address syslog logging recipient-address admin level errors logging host OLD-Private 192.168.17.110 format emblem logging debug-trace logging permit-hostdown mtu WAN 1500 mtu OLD-Private 1500 mtu Management 1500 ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0 ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0 failover failover lan unit primary failover lan interface failover Vlan100 failover polltime interface 15 holdtime 75 failover key ***** failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2 icmp unreachable rate-limit 1 burst-size 1 icmp permit 192.168.10.0 255.255.255.0 WAN icmp permit host x.x.x.x WAN icmp permit 192.168.17.0 255.255.255.0 WAN icmp permit host c.c.c.c WAN icmp permit host a.a.a.a WAN icmp deny any WAN icmp permit 192.168.10.0 255.255.255.0 OLD-Private icmp permit 192.168.17.0 255.255.255.0 OLD-Private icmp permit host a.a.a.a OLD-Private icmp permit host 192.168.10.0 Management icmp permit host 192.168.17.138 Management icmp permit 192.168.1.0 255.255.255.0 Management icmp permit host 192.168.1.26 Management icmp permit host a.a.a.a Management asdm image disk0:/asdm-647.bin no asdm history enable arp timeout 14400 nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-10 subnet-10 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-2 subnet-2 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-9 subnet-9 no-proxy-arp nat (Management,WAN) source static NETWORK_OBJ_192.168.17.0_24 NETWORK_OBJ_192.168.17.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup ! object network subnet-00 nat (OLD-Private,WAN) dynamic interface access-group WAN_access_in in interface WAN access-group OLD-PRIVATE_access_in in interface OLD-Private access-group MANAGEMENT_access_in in interface Management route WAN 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa local authentication attempts max-fail 10 http server enable http b.b.b.b 255.255.255.255 WAN http 0.0.0.0 0.0.0.0 WAN no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart service resetoutside crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac crypto map WAN_map 1 match address WAN_1_cryptomap crypto map WAN_map 1 set pfs crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Office 2 match address WAN_1_cryptomap crypto map Office 2 set peer a.a.a.a crypto map Office interface WAN crypto map MAP 10 set peer a.a.a.a crypto map MAP 10 set ikev1 transform-set OFFICE crypto ikev2 enable WAN crypto ikev1 enable WAN crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption des hash sha group 1 lifetime 86400 telnet timeout 5 ssh a.a.a.a 255.255.255.255 WAN ssh timeout 30 ssh version 2 console timeout 0 dhcpd auto_config OLD-Private ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 129.6.15.28 source WAN prefer webvpn group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 ssl-client ssl-clientless group-policy admin internal group-policy admin attributes dns-server value 208.67.222.222 156.154.70.1 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_a.a.a.a internal group-policy GroupPolicy_a.a.a.a attributes vpn-tunnel-protocol ikev1 ikev2 group-policy CiscoVPNClient internal group-policy CiscoVPNClient attributes vpn-idle-timeout 30 vpn-session-timeout none vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value CiscoVPNClient_splitTunnelAcl username admin password password encrypted privilege 15 tunnel-group admin type remote-access tunnel-group admin general-attributes address-pool vpnclient authorization-server-group LOCAL default-group-policy admin tunnel-group a.a.a.a type ipsec-l2l tunnel-group a.a.a.a general-attributes default-group-policy GroupPolicy_a.a.a.a tunnel-group a.a.a.a ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group CiscoVPNClient type remote-access tunnel-group CiscoVPNClient general-attributes address-pool vpnclient default-group-policy CiscoVPNClient tunnel-group CiscoVPNClient ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global smtp-server 192.168.17.10 prompt hostname context no call-home reporting anonymous call-home contact-email-addr admin contact-name admin profile CiscoTAC-1 no active : end asdm image disk0:/asdm-647.bin asdm location c.c.c.c 255.255.255.255 WAN asdm location 192.168.17.2 255.255.255.255 WAN asdm location a.a.a.a 255.255.255.255 OLD-Private no asdm history enable
ASA:
# show crypto ipsec sa
There are no ipsec sas
# show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
2911:
#show crypto ipsec sa
interface: GigabitEthernet0/0/0
Crypto map tag: MAP, local addr a.a.a.a
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)
current_peer b.b.b.b port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: a.a.a.a, remote crypto endpt.: b.b.b.b
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
--More-- inbound ah sas:
--More--
--More-- inbound pcp sas:
--More--
--More-- outbound esp sas:
--More--
--More-- outbound ah sas:
--More--
--More-- outbound pcp sas:
Thanks for your time,
Nick
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2012 03:53 AM
Please add
crypto map Office 2 set ikev1 transform-set OFFICE
If it is not helpful, please enable debug crypto ipsec 255 and paste here.
HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2012 11:57 PM
access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0is not mirrorary equal to ACL 160 on router:
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
Thats the problem.
BTW ACLs WAN_2_cryptomap and WAN_cryptomap_2 is not used anythere on ASA.
HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2012 12:19 AM
Hi Evgeniy,
I've replaced access-list.
Result of the command: "show run | include WAN_1_cryptomap"
access-list WAN_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map Office 2 match address WAN_1_cryptomap
Tunnel is still down. In ASDM I see:
IP = a.a.a.a, Error processing payload: Payload ID: 1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2012 12:41 AM
First, I think ikev2 is not required in tunnel-group a.a.a.a ipsec-attributes
Second, your isakmp/ike policies is incompatble betheen IOS and ASA:
On IOS:
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
crypto isakmp key admin address b.b.b.b
crypto isakmp invalid-spi-recovery
On ASA:
crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption des hash sha group 1 lifetime 86400
They should match.
HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2012 01:52 AM
ikev2 has been removed from config on ASA, also cryptos became:
crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 1 lifetime 86400
Now in addition to Payload ID: 1, has been added another error:Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2012 02:06 AM
Please configure on IOS:
crypto isakmp policy 10
encr aes 256
hash sha
authentication pre-share
group 2
On ASA you can try to remove:
crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 1 lifetime 86400
HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2012 02:30 AM
Updated ASA config:
crypto ikev1 enable WAN crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 telnet timeout 5
And IOS: hash sha512 -> hash sha
Now ASDM shows 1 IPSec connection, then reply with error:
IP = a.a.a.a, Received encrypted packet with no matching SA, dropping
Full log:
5|Feb 09 2012|23:20:14|713904|||||IP = a.a.a.a, Received encrypted packet with no matching SA, dropping
4|Feb 09 2012|23:20:13|113019|||||Group = a.a.a.a, Username = a.a.a.a, IP = a.a.a.a, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
5|Feb 09 2012|23:20:13|713259|||||Group = a.a.a.a, IP = a.a.a.a, Session is being torn down. Reason: crypto map policy not found
3|Feb 09 2012|23:20:13|713902|||||Group = a.a.a.a, IP = a.a.a.a, Removing peer from correlator table failed, no match!
3|Feb 09 2012|23:20:13|713902|||||Group = a.a.a.a, IP = a.a.a.a, QM FSM error (P2 struct &0xcb4ce360, mess id 0x2f1dae8b)!
3|Feb 09 2012|23:20:13|713061|||||Group = a.a.a.a, IP = a.a.a.a, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.10.0/255.255.255.0/0/0 local proxy 192.168.17.0/255.255.255.0/0/0 on interface WAN
5|Feb 09 2012|23:20:13|713119|||||Group = a.a.a.a, IP = a.a.a.a, PHASE 1 COMPLETED
6|Feb 09 2012|23:20:13|113009|||||AAA retrieved default group policy (GroupPolicy_a.a.a.a) for user = a.a.a.a
6|Feb 09 2012|23:20:13|713172|||||Group = a.a.a.a, IP = a.a.a.a, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
1|Feb 09 2012|23:19:51|105009|||||(Primary) Testing on interface WAN Passed
1|Feb 09 2012|23:19:51|105008|||||(Primary) Testing Interface WAN
5|Feb 09 2012|23:19:44|713904|||||IP = a.a.a.a, Received encrypted packet with no matching SA, dropping
4|Feb 09 2012|23:19:43|113019|||||Group = a.a.a.a, Username = a.a.a.a, IP = a.a.a.a, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
5|Feb 09 2012|23:19:43|713259|||||Group = a.a.a.a, IP = a.a.a.a, Session is being torn down. Reason: crypto map policy not found
3|Feb 09 2012|23:19:43|713902|||||Group = a.a.a.a, IP = a.a.a.a, Removing peer from correlator table failed, no match!
3|Feb 09 2012|23:19:43|713902|||||Group = a.a.a.a, IP = a.a.a.a, QM FSM error (P2 struct &0xcb4ce360, mess id 0x268ce1b3)!
3|Feb 09 2012|23:19:43|713061|||||Group = a.a.a.a, IP = a.a.a.a, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.10.0/255.255.255.0/0/0 local proxy 192.168.17.0/255.255.255.0/0/0 on interface WAN
5|Feb 09 2012|23:19:43|713119|||||Group = a.a.a.a, IP = a.a.a.a, PHASE 1 COMPLETED
6|Feb 09 2012|23:19:43|113009|||||AAA retrieved default group policy (GroupPolicy_a.a.a.a) for user = a.a.a.a
6|Feb 09 2012|23:19:43|713172|||||Group = a.a.a.a, IP = a.a.a.a, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2012 02:33 AM
That's good! We are one step closer. Now it is problems with your Phase2 SAs.
Key moment here is:
3|Feb 09 2012|23:19:43|713061|||||Group = a.a.a.a, IP = a.a.a.a, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.10.0/255.255.255.0/0/0 local proxy
BTW
crypto map MAP
is used nowhere. I suggest you to remove it from ASA's config.
Please show me once again your configs from ASA and IOS. I suppose you will modify your ACLs to look like this:
On ASA:
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
On IOS:
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
And nothing more.
HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2012 02:54 AM
IOS config:
!
! Last configuration change at 10:17:28 UTC Thu Feb 9 2012 by admin
! NVRAM config last updated at 10:17:49 UTC Thu Feb 9 2012 by admin
! NVRAM config last updated at 10:17:49 UTC Thu Feb 9 2012 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname host
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.152-2.T.bin
boot-end-marker
!
!
security passwords min-length 10
logging buffered 51200 warnings
!
no aaa new-model
!
!
ipv6 spd queue min-threshold 62
ipv6 spd queue max-threshold 63
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.22.1 192.168.22.99
ip dhcp excluded-address 192.168.33.1 192.168.33.99
ip dhcp excluded-address 192.168.44.1 192.168.44.99
ip dhcp excluded-address 192.168.55.1 192.168.55.99
ip dhcp excluded-address 192.168.10.240 192.168.10.254
ip dhcp excluded-address 192.168.22.240 192.168.22.254
ip dhcp excluded-address 192.168.33.240 192.168.33.254
ip dhcp excluded-address 192.168.44.240 192.168.44.254
ip dhcp excluded-address 192.168.55.240 192.168.55.254
!
ip dhcp pool desktops
import all
network 192.168.33.0 255.255.255.0
default-router 192.168.33.254
dns-server 192.168.10.10 202.50.246.41 202.50.246.42
domain-name local
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
ip dhcp pool wi-fi
import all
network 192.168.44.0 255.255.255.0
dns-server 192.168.10.10 202.50.246.41 202.50.246.42
domain-name local
default-router 192.168.44.254
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
ip dhcp pool DMZ
import all
network 192.168.55.0 255.255.255.0
dns-server 192.168.10.10 202.50.246.41 202.50.246.42
domain-name local
default-router 192.168.55.254
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
ip dhcp pool voip
import all
network 192.168.22.0 255.255.255.0
dns-server 192.168.10.10 202.50.246.41 202.50.246.42
domain-name local
default-router 192.168.22.254
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
ip dhcp pool servers
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 192.168.10.10 202.50.246.41 202.50.246.42
domain-name local
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
!
ip domain name domain
ip name-server 192.168.10.10
ip cef
login block-for 180 attempts 3 within 180
login delay 10
vlan ifdescr detail
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3956567439
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3956567439
revocation-check none
rsakeypair TP-self-signed-3956567439
!
!
crypto pki certificate chain TP-self-signed-3956567439
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393536 35363734 3339301E 170D3132 30313036 30313036
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39353635
36373433 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BBBC B2F63B46 7BBC2153 2CBE7448 75C4242B F1889273 60514BBC DDE1DA56
E39DBB15 1F287CC1 152524A5 D87A8A56 13EAFB5B B84C84AB C25D6FA4 976A2CD5
D1A33DE0 0433C73B D4202B8B 11237BC9 D7DF4B94 826020BB 46EFD1BF 84FB7743
9FA14E39 2725527B 7E9533AE E6785232 FC74EA73 08F60A6F 186A3637 26019E4A
2FCB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14AC4CB9 4112EF5F A5B1E2DF AAF07C77 25B01101 C5301D06
03551D0E 04160414 AC4CB941 12EF5FA5 B1E2DFAA F07C7725 B01101C5 300D0609
2A864886 F70D0101 05050003 818100B0 92B2D45B DDE83E4A 322F2091 4A098970
63AE4657 9066FB28 74B33515 93DDD8A5 2BAD749C 5B7D3CB0 AD35C84F AE356765
684BFFB4 0890D062 F318F65C 0DF2710E 2C31BC4F 4FEBE931 C438803B A09D2DCF
BF9A4DC5 72DC227D 1D41F488 5382C952 0A1E4491 0A596C3B BFAEA355 5CD436DF
7B3E69EB 5C5BEF9E 129B736F 067CB0
quit
license udi pid CISCO2911/K9 sn
!
!
object-group network FULL_NET
description complete network range
192.168.10.0 255.255.255.0
192.168.11.0 255.255.255.0
192.168.22.0 255.255.255.0
192.168.33.0 255.255.255.0
192.168.44.0 255.255.255.0
!
object-group network limited
description network without Servers and Router
192.168.22.0 255.255.255.0
192.168.33.0 255.255.255.0
192.168.44.0 255.255.255.0
!
vtp version 2
username admin privilege 0 password 7 password
!
redundancy
!
!
!
!
!
no ip ftp passive
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key admin address b.b.b.b
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set PEER1 esp-aes esp-sha-hmac
!
!
!
crypto map MAP 10 ipsec-isakmp
set peer b.b.b.b
set transform-set PEER1
match address 160
!
!
!
!
!
interface Port-channel1
no ip address
hold-queue 150 in
!
interface Port-channel1.1
encapsulation dot1Q 1 native
ip address 192.168.11.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.10
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.22
encapsulation dot1Q 22
ip address 192.168.22.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.33
encapsulation dot1Q 33
ip address 192.168.33.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.44
encapsulation dot1Q 44
ip address 192.168.44.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.55
encapsulation dot1Q 55
ip address 192.168.55.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
channel-group 1
!
interface GigabitEthernet0/2
description $ES_LAN$
no ip address
duplex auto
speed auto
channel-group 1
!
interface GigabitEthernet0/0/0
ip address a.a.a.a 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map MAP
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0 overload
ip nat inside source static udp a.a.a.a 500 interface GigabitEthernet0/0/0 500
ip route 0.0.0.0 0.0.0.0 c.c.c.c
!
ip access-list extended NAT_INTERNET
deny ip object-group FULL_NET 192.168.17.0 0.0.0.255
deny ip object-group FULL_NET 192.168.1.0 0.0.0.255
permit ip object-group FULL_NET any
!
access-list 1 permit 192.168.44.100
access-list 23 permit 192.168.10.7
access-list 23 permit 192.168.44.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
!
!
!
control-plane
!
!
!
line con 0
password 7 password
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end
---------------------------------------------------------------------------------------------------------------------------------------
ASA config:
: Saved
:
ASA Version 8.4(3)
!
hostname host
domain-name domain
enable password password encrypted
passwd passwd encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport trunk allowed vlan 2,6
switchport mode trunk
!
interface Ethernet0/7
shutdown
!
interface Vlan1
description INTERNET
mac-address 1234.5678.0001
nameif WAN
security-level 0
ip address b.b.b.b 255.255.255.248 standby x.x.x.x
ospf cost 10
!
interface Vlan2
description OLD-PRIVATE
mac-address 1234.5678.0102
nameif OLD-Private
security-level 100
ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3
ospf cost 10
!
interface Vlan6
description MANAGEMENT
mac-address 1234.5678.0106
nameif Management
security-level 100
ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3
ospf cost 10
!
interface Vlan100
description LAN Failover Interface
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00
dns domain-lookup WAN
dns server-group DefaultDNS
name-server xxx.xxx.xxx.xxx
domain-name domain
same-security-traffic permit intra-interface
object network obj-192.168.17.0
subnet 192.168.17.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.9.0
subnet 192.168.9.0 255.255.255.0
object network obj-192.168.33.0
subnet 192.168.33.0 255.255.255.0
object network obj-192.168.44.0
subnet 192.168.44.0 255.255.255.0
object network obj_any
object network obj_any-01
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.17.0_24
subnet 192.168.17.0 255.255.255.0
object network subnet-00
subnet 0.0.0.0 0.0.0.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
description RDP
port-object eq 3389
object-group network DM_INLINE_NETWORK_1
network-object 192.168.17.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.33.0 255.255.255.0
network-object 192.168.44.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.10.0 255.255.255.0
network-object 192.168.33.0 255.255.255.0
network-object 192.168.44.0 255.255.255.0
object-group network subnet-17
network-object 192.168.17.0 255.255.255.0
object-group network subnet-2
network-object 192.168.2.0 255.255.255.0
object-group network subnet-9
network-object 192.168.9.0 255.255.255.0
object-group network subnet-10
network-object 192.168.10.0 255.255.255.0
access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list LAN_IP standard permit 192.168.17.0 255.255.255.0
access-list WAN_access_in extended permit ip any any log debugging
access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging
access-list WAN_access_in extended permit icmp x.x.x.x 255.255.255.248 192.168.10.0 255.255.255.0
access-list MANAGEMENT_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit icmp any object-group DM_INLINE_NETWORK_1
access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging
access-list WAN_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list CiscoVPNClient_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0
access-list LAN_access_in extended permit ip any any log debugging
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 52000
logging monitor informational
logging trap informational
logging asdm informational
logging from-address syslog
logging recipient-address level errors
logging host OLD-Private 192.168.17.110 format emblem
logging debug-trace
logging permit-hostdown
mtu WAN 1500
mtu OLD-Private 1500
mtu Management 1500
ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0
ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Vlan100
failover polltime interface 15 holdtime 75
failover key *****
failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.10.0 255.255.255.0 WAN
icmp permit 192.168.17.0 255.255.255.0 WAN
icmp permit host c.c.c.c WAN
icmp permit host a.a.a.a WAN
icmp deny any WAN
icmp permit 192.168.10.0 255.255.255.0 OLD-Private
icmp permit 192.168.17.0 255.255.255.0 OLD-Private
icmp permit host a.a.a.a OLD-Private
icmp permit host 192.168.10.0 Management
icmp permit host 192.168.17.138 Management
icmp permit 192.168.1.0 255.255.255.0 Management
icmp permit host 192.168.1.26 Management
icmp permit host a.a.a.a Management
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-10 subnet-10 no-proxy-arp
nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-2 subnet-2 no-proxy-arp
nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-9 subnet-9 no-proxy-arp
nat (Management,WAN) source static NETWORK_OBJ_192.168.17.0_24 NETWORK_OBJ_192.168.17.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
!
object network subnet-00
nat (OLD-Private,WAN) dynamic interface
access-group WAN_access_in in interface WAN
access-group OLD-PRIVATE_access_in in interface OLD-Private
access-group MANAGEMENT_access_in in interface Management
route WAN 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http b.b.b.b 255.255.255.255 WAN
http 0.0.0.0 0.0.0.0 WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set pfs
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Office 2 match address WAN_1_cryptomap
crypto map Office 2 set peer a.a.a.a
crypto map Office interface WAN
crypto map MAP 10 set peer a.a.a.a
crypto map MAP 10 set ikev1 transform-set OFFICE
crypto ikev1 enable WAN
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 121.98.137.77 255.255.255.255 WAN
ssh a.a.a.a 255.255.255.255 WAN
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config OLD-Private
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.28 source WAN prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
group-policy admin internal
group-policy admin attributes
dns-server value 208.67.222.222 156.154.70.1
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_a.a.a.a internal
group-policy GroupPolicy_a.a.a.a attributes
vpn-tunnel-protocol ikev1
group-policy CiscoVPNClient internal
group-policy CiscoVPNClient attributes
vpn-idle-timeout 30
vpn-session-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CiscoVPNClient_splitTunnelAcl
username admin password password encrypted privilege 15
tunnel-group admin type remote-access
tunnel-group admin general-attributes
address-pool vpnclient
authorization-server-group LOCAL
default-group-policy admin
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a general-attributes
default-group-policy GroupPolicy_a.a.a.a
tunnel-group a.a.a.a ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group CiscoVPNClient type remote-access
tunnel-group CiscoVPNClient general-attributes
address-pool vpnclient
default-group-policy CiscoVPNClient
tunnel-group CiscoVPNClient ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
smtp-server 192.168.17.10
prompt hostname context
no call-home reporting anonymous
call-home
contact-email-addr
contact-name
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
asdm image disk0:/asdm-647.bin
asdm location b.b.b.b 255.255.255.255 WAN
asdm location 192.168.17.2 255.255.255.255 WAN
asdm location a.a.a.a 255.255.255.255 OLD-Private
no asdm history enable
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2012 03:07 AM
WAN_1_cryptomap is defined incorrectly in your last config.
Once again. On ASA:
Remove this line:
crypto map MAPand
access-list WAN_2_cryptomap
and
access-list WAN_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2012 03:23 AM
All removed:
5|Feb 10 2012|00:20:42|713904|||||IP = a.a.a.a, Received encrypted packet with no matching SA, dropping
4|Feb 10 2012|00:20:42|113019|||||Group = a.a.a.a, Username = a.a.a.a, IP = a.a.a.a, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
5|Feb 10 2012|00:20:42|713259|||||Group = a.a.a.a, IP = a.a.a.a, Session is being torn down. Reason: crypto map policy not found
3|Feb 10 2012|00:20:42|713902|||||Group = a.a.a.a, IP = a.a.a.a, Removing peer from correlator table failed, no match!
3|Feb 10 2012|00:20:42|713902|||||Group = a.a.a.a, IP = a.a.a.a, QM FSM error (P2 struct &0xcb4ce360, mess id 0x48eb296d)!
3|Feb 10 2012|00:20:42|713061|||||Group = a.a.a.a, IP = a.a.a.a, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.10.0/255.255.255.0/0/0 local proxy 192.168.17.0/255.255.255.0/0/0 on interface WAN
5|Feb 10 2012|00:20:42|713119|||||Group = a.a.a.a, IP = a.a.a.a, PHASE 1 COMPLETED
6|Feb 10 2012|00:20:42|113009|||||AAA retrieved default group policy (GroupPolicy_a.a.a.a) for user = a.a.a.a
6|Feb 10 2012|00:20:42|713172|||||Group = a.a.a.a, IP = a.a.a.a, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2012 03:53 AM
Please add
crypto map Office 2 set ikev1 transform-set OFFICE
If it is not helpful, please enable debug crypto ipsec 255 and paste here.
HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2012 01:50 PM
Thanks Zhenya, you are the great men! The tunnel is up and I have access from office to remote network. Now I'm going to allow access from all VLANs in the office to remote network, setup keepalive for tunnel and permit reverse access from remote network to our office.
Thanks again, excellent solution!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2012 04:42 AM
No problem. You are welcome. The best thanks is to give positive rating to my posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 04:42 AM
Hello Sir i VPN contion between ASA 5520 and 2811 router the tunnel is up and i can ping lan to lan but can not could not pass user trafic from lan to lan below is my config
Building configuration...
Current configuration : 4589 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname mynet
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable password class
!
no aaa new-model
memory-size iomem 10
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 2!@$24c# address *.*.*.*
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to*.*.*.*
set peer *.*.*.*
set security-association lifetime seconds 28800
set transform-set SDM_TRANSFORMSET_1
match address 100
!
!
crypto pki trustpoint TP-self-signed-2167060814
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2167060814
revocation-check none
rsakeypair TP-self-signed-2167060814
!
!
crypto pki certificate chain TP-self-signed-2167060814
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313637 30363038 3134301E 170D3132 30373034 31333431
32365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31363730
36303831 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C364 7D402758 51F09695 BD154AC4 90AD2414 12EEC489 0A93144A E5F48988
9EBEA6E8 651B2DCC 74598794 98FE7BB4 24720967 D45458E4 1B511CD9 066465C2
6F7BABF4 BBDA2680 08058882 32E2B638 7AF69531 C29C0A90 E6346478 44729E28
2B3A6A2B 7F9EDC55 902BC5BD 17A6D9BD EA7034FA 667714B9 014AC84D ACFBA560
99230203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15454F44 2E6E6763 2D6E6E70 6367726F 75702E63 6F6D301F
0603551D 23041830 16801435 2811E226 99B57C71 DF7CA409 9A41978B 55CA5E30
1D060355 1D0E0416 04143528 11E22699 B57C71DF 7CA4099A 41978B55 CA5E300D
06092A86 4886F70D 01010405 00038181 0030C710 D435CF51 FEEC6767 45CFE3D7
448C764A 9C394041 5B48FE3C A0973381 5A08D7CC 843D8C88 945124EA 6AB2FF07
947F10FE 072A853B 44637E03 20AF196A 2481C0BF 89FB5B78 84E0F0F5 6D1CCDC2
D72DFE26 E5AE679E A23CAF1A 75E4FD45 502C57D5 FA04D427 6B32FE11 E2803ADE
6C39D9DF D59C0ADD 8BFCEBC9 92B2F514 CE
quit
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.43.0.0 10.43.0.50
ip dhcp excluded-address 10.45.0.1 10.45.0.50
!
ip dhcp pool ngcph
network 10.45.0.0 255.255.255.0
dns-server 83.229.88.30 217.194.129.30
default-router 10.45.0.1
domain-name ngc-nnpcgroup.com
lease 7
!
!
ip domain name ngc-nnpcgroup.com
!
multilink bundle-name authenticated
!
!
!
username cisco privilege 15 secret 5 $1$hJFZ$/lQ9kVkbOqVVOoCs3LxlR0
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/0
description #ETH-WANS#
ip address *.*.*.* 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1/0
description FE int to 2nd$ETH-LAN$
ip address 10.45.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 *.*.*.*
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat pool ed *.*.*.* *.*.*.* netmask 255.255.255.248
ip nat inside source route-map SDM_RMAP_1 pool ngceod
!
access-list 10 remark CCP_ACL Category=16
access-list 10 permit 10.45.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.45.0.0 0.0.0.255 10.40.0.0 0.0.255.255
access-list 101 remark CCP_ACL Category=16
access-list 101 permit ip 10.45.0.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny ip 10.45.0.0 0.0.0.255 10.40.0.0 0.0.255.255
access-list 102 permit ip 10.45.0.0 0.0.0.255 any
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.45.0.0 0.0.0.255 10.40.0.0 0.0.255.255
snmp-server community ngc RO
!
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
!
control-plane
!
!
line con 0
password class
login local
line aux 0
line vty 0 4
privilege level 15
password class
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn cef
!
end
ASA
hostname MYHD-ASA
domain-name ngc-nnpcgroup.com
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.40.0.1 255.255.0.0
no shutdown
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.240
no shutdown
!
interface GigabitEthernet2
nameif DMZ
security-level 100
ip address 10.50.0.1 255.255.255.0
!
interface GigabitEthernet3
nameif CHQWAN
security-level 50
ip address 10.60.0.1 255.255.255.252
!
ftp mode passive
dns server-group DefaultDNS
domain-name ngc-nnpcgroup.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network OUTSIDEIP
host *.*.*.*
object network NETWORK_OBJ_10.40.0.0_16
subnet 10.40.0.0 255.255.0.0
object network test
subnet 10.45.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu management 1500
mtu DMZ 1500
mtu inside 1500
mtu CHQWAN 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any echo-reply outside
icmp permit any echo outside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username nnpc password St5pgJAjD4J/dO/i encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
management-access inside
Thanks in advance for your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide