11-03-2012 01:51 AM
Hi
I am getting very crazy as this problem remains
I have HQ side with ASA 5520 (8.4) & Branch Side with ASA 5505
Design
VPN LAN<------->ASA5520(8.4)----->Thomson Business TG628s----->Internet<--->ADSL Modem------>ASA5505(8.2)
Now on both modems UDP 500 & TCP/UDP 4500 ports are enabled
I can ping from internal lan of HQ to internal lan of branch but
I cant ping from internal lan of branch to internal lan of HQ
HQ ASA 5520 Side
ASA Version 8.4(3)
!
hostname aljoaib-fw01
domain-name aljoaib.com
names
!
interface GigabitEthernet0/0
nameif External
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.252
!
interface GigabitEthernet0/1
nameif dmz_ext
security-level 50
ip address 192.168.100.254 255.255.255.252
!
interface GigabitEthernet0/2
nameif dmz_int
security-level 50
ip address 192.168.200.254 255.255.255.252
!
interface GigabitEthernet0/3
nameif internal-lan
security-level 100
ip address 172.16.1.251 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup External
dns domain-lookup internal-lan
dns server-group DefaultDNS
domain-name aljoaib.com
object network HQ-Subnet
subnet 172.16.1.0 255.255.255.0
object service http
service tcp destination eq www
object service https
service tcp source eq https destination eq https
object service telnet
service tcp destination eq telnet
object network Main-Internet-Link
host xxx.xxx.xxx.xxx
object network GTC-DMM
subnet 172.16.8.0 255.255.255.0
object network Mgmt
host 213.177.250.80
object network Main-Internet-Link-GW
host xxx.xxx.xxx.xxx
object network GTC-HASA
subnet 172.16.7.0 255.255.255.0
object-group icmp-type ICMP
icmp-object echo
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object traceroute
object-group icmp-type ICMP_GRP
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object traceroute
object-group service TCP_GRP tcp
port-object eq cifs
port-object eq citrix-ica
port-object eq ctiqbe
port-object eq echo
port-object eq www
port-object eq https
object-group protocol RDP_GRP
protocol-object tcp
object-group service POP-SMTP_GRP tcp
port-object eq pop3
port-object eq smtp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object udp
service-object tcp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq sip
service-object tcp destination eq domain
service-object tcp destination eq echo
service-object tcp destination eq https
service-object tcp destination eq login
service-object tcp destination eq sip
service-object tcp destination eq ssh
service-object udp destination eq domain
service-object udp destination eq echo
service-object udp destination eq sip
service-object udp destination eq talk
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol ip_icmp
protocol-object ip
protocol-object icmp
object-group service esp-ip
service-object ip
service-object esp
object-group service ip-icmp
service-object ip
service-object icmp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object tcp-udp destination eq echo
service-object tcp destination eq echo
service-object udp destination eq echo
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object icmp echo
service-object icmp echo-reply
access-list internal-lan_access_in extended permit object-group ip_icmp object HQ-Subnet any
access-list internal-lan_access_in extended permit ip 172.16.1.0 255.255.255.0 any
access-list External_cryptomap extended permit ip object HQ-Subnet object GTC-HASA
access-list External_cryptomap_1 extended permit object-group DM_INLINE_SERVICE_1 object HQ-Subnet object GTC-DMM
pager lines 24
logging enable
logging asdm-buffer-size 500
logging buffered debugging
logging asdm informational
mtu External 1500
mtu dmz_ext 1500
mtu dmz_int 1500
mtu internal-lan 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any External
icmp permit 213.177.250.80 255.255.255.248 External
icmp permit any internal-lan
icmp permit xxx.xxx.xxx.xxx 255.255.255.252 internal-lan
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (internal-lan,External) source static HQ-Subnet HQ-Subnet destination static GTC-DMM GTC-DMM
nat (internal-lan,External) source static HQ-Subnet HQ-Subnet destination static GTC-HASA GTC-HASA
nat (internal-lan,External) source dynamic HQ-Subnet interface
access-group internal-lan_access_in in interface internal-lan
route External 0.0.0.0 0.0.0.0 84.235.87.182 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set HO_VPN esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal aes-128-sha
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto map External_map 1 match address External_cryptomap_1
crypto map External_map 1 set peer 2.91.51.82
crypto map External_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map External_map 2 match address External_cryptomap
crypto map External_map 2 set peer 77.31.136.89
crypto map External_map 2 set ikev1 transform-set ESP-AES-128-SHA
crypto map External_map interface External
no crypto isakmp nat-traversal
crypto isakmp disconnect-notify
crypto ikev2 policy 60
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable External
crypto ikev1 enable External
crypto ikev1 am-disable
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 172.16.1.150-172.16.1.220 internal-lan
dhcpd dns 84.235.6.55 84.235.57.235 interface internal-lan
dhcpd domain aljoaib.com interface internal-lan
!
dhcpd address 192.168.0.2-192.168.0.10 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 des-sha1
webvpn
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy GroupPolicy_77.31.136.89 internal
group-policy GroupPolicy_77.31.136.89 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_2.91.51.82 internal
group-policy GroupPolicy_2.91.51.82 attributes
vpn-tunnel-protocol ikev1
tunnel-group 2.91.51.82 type ipsec-l2l
tunnel-group 2.91.51.82 general-attributes
default-group-policy GroupPolicy_2.91.51.82
tunnel-group 2.91.51.82 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 77.31.136.89 type ipsec-l2l
tunnel-group 77.31.136.89 general-attributes
default-group-policy GroupPolicy_77.31.136.89
tunnel-group 77.31.136.89 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map ICMP-CMAP
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class ICMP-CMAP
inspect icmp
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6c3a455f1315b5310629b4c0705ad18a
: end
Branch side ASA 5505
:
ASA Version 8.2(5)
!
hostname GTC-DMM-FIREWALL
domain-name ALJOAIB.COM
enable password 7pgp93AEPfHtDc5N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.16.1.0 HQ-Network
name XXX.xxx.xxx.xxx HO_WAN description WAN Link
name 77.31.3.192 WAN_Branch description WAN bRANCH
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.8.251 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan5
no nameif
security-level 50
ip address dhcp setroute
!
ftp mode passive
dns server-group DefaultDNS
domain-name ALJOAIB.COM
object-group service xpata
description port 81
service-object tcp-udp eq 81
service-object tcp eq 81
service-object udp eq 81
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object udp
service-object tcp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
service-object tcp-udp eq domain
service-object tcp-udp eq sip
service-object tcp eq echo
service-object tcp eq https
service-object tcp eq login
service-object tcp eq sip
service-object udp eq domain
service-object udp eq echo
service-object udp eq sip
service-object udp eq talk
group-object xpata
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object icmp
service-object udp
service-object tcp
service-object icmp echo
service-object icmp echo-reply
service-object tcp-udp eq echo
service-object tcp eq echo
service-object udp eq echo
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object tcp-udp eq echo
service-object tcp eq echo
service-object udp eq echo
access-list outside_cryptomap_1 extended permit object-group DM_INLINE_SERVICE_1 172.16.8.0 255.255.255.0 HQ-Network 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 172.16.8.0 255.255.255.0 any
access-list inside_nat0_outbound_1 extended permit ip 172.16.8.0 255.255.255.0 HQ-Network 255.255.255.0
pager lines 24
logging enable
logging console notifications
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 172.16.8.0 255.255.255.0
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 172.16.8.1-172.16.8.50 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
!
!
!
policy-map outside-policy
policy-map inside-policy
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ed909e1a3b55aa58f36325855e6a825b
: end
GTC-DMM-FIREWALL# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 84.235.87.181
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Both sides have static ip address
Could Some one Help me to solve this issue.
11-03-2012 02:20 AM
Hello Asad,
Can you give me the output of the following from both asa
show sysopt
regards
Harish
11-03-2012 04:33 AM
hi harish
this command aint on both asa
11-03-2012 04:55 AM
Doesn't look like the service policy is applied on 5520 side, and the inspection wasn't even configured on the 5505 side.
Pls kindly configure the following:
ASA 5520:
service-policy global_policy global
ASA 5505:
class-map inspection_default
match default-inspection-traffic
exit
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
11-04-2012 04:28 AM
Hi Jennifer
After adding these commands to ASA5520 & ASA5505,
Tunnel went up as it was before but now there is no ping from both sides
11-04-2012 05:00 AM
Pls delete the class-map that you configure for icmp as it doesn't contain any match statement.
ASA 5520:
policy-map global_policy
no class ICMP-CMAP
Then try again.
11-04-2012 06:17 AM
Hi Jennifer
Still the same no ping from both side
I think data can not travel by blocking ACL because iam running out of options here I need to go live next week.
11-04-2012 06:18 AM
What are you trying to ping to and from? pls share the ip address.
Also the output of the following from both ASA:
show cry isa sa
show cry ipsec sa
11-04-2012 07:50 AM
Hi Jennifer
I am trying to ping from host of HQ network to Host of Branch network
tomorrow i will send what comes from these commands, its off time here
11-05-2012 05:43 AM
HOST IP: 172.16.1.22 GW:172.16.1.251
HQ ASA 5520
sh crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 37.106.21.191
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
sh crypto ipsec sa
interface: External
Crypto map tag: External_map, seq num: 3, local addr: 84.235.87.181
access-list External_cryptomap_2 extended permit ip 172.16.1.0 255.255.255
.0 172.16.8.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.8.0/255.255.255.0/0/0)
current_peer: 37.106.21.191
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 16822, #pkts decrypt: 16822, #pkts verify: 16822
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 84.235.87.181/0, remote crypto endpt.: 37.106.21.191/
0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 0DD3A664
current inbound spi : 8CE6630A
inbound esp sas:
spi: 0x8CE6630A (2363908874)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 45056, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4373893/19698)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x0DD3A664 (231974500)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 45056, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4374000/19698)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Branch ASA 5505
HOST IP:172.16.8.1 GW:172.16.8.251
sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 84.235.87.181
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 192.168.1.8
access-list outside_cryptomap_1 extended permit ip 172.16.8.0 255.255.255.
0 172.16.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.8.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (HQ-Network/255.255.255.0/0/0)
current_peer: 84.235.87.181
#pkts encaps: 16847, #pkts encrypt: 16847, #pkts digest: 16847
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16847, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.8, remote crypto endpt.: 84.235.87.181
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 8CE6630A
current inbound spi : 0DD3A664
inbound esp sas:
spi: 0x0DD3A664 (231974500)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 36864, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/19596)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x8CE6630A (2363908874)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 36864, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373892/19596)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
11-05-2012 06:00 AM
Hi Harish
after running this command on branch side ASA 5505got this msg
GTC-DMM-FIREWALL(config)# sho runn sysopt
no sysopt connection reclassify-vpn
after running this command on HQ ASA 5520 side got this msg
aljoaib-fw01(config)# sh runn sysopt
aljoaib-fw01(config)#
11-05-2012 06:56 PM
In taking a quick peek at your config, it looks as though you have NAT-T (port 4500) disabled on both sides:
no crypto isakmp nat-traversal
Have you tried enabling it to see if that helps?
The fact that the "show crypto ipsec sa" is showing packets being encapsulated but not decapsulated on one side means you're very close to having the tunnel up and running, and I suspect it's probably something to do with NAT-T or how you are NAT'ing across the tunnel.
11-13-2012 12:34 AM
Config for dynamic is
ASA Version 8.4(3)
!
hostname aljoaib-fw01
domain-name aljoaib.com
enable password 7pgp93AEPfHtDc5N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif External
security-level 0
ip address 84.235.87.181 255.255.255.252
!
interface GigabitEthernet0/1
nameif dmz_ext
security-level 50
ip address 192.168.100.254 255.255.255.252
!
interface GigabitEthernet0/2
nameif dmz_int
security-level 50
ip address 192.168.200.254 255.255.255.252
!
interface GigabitEthernet0/3
nameif internal-lan
security-level 100
ip address 172.16.1.251 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup External
dns domain-lookup internal-lan
dns server-group DefaultDNS
name-server 84.235.6.55
name-server 84.235.57.230
domain-name aljoaib.com
object network HQ-Subnet
subnet 172.16.1.0 255.255.255.0
object service http
service tcp destination eq www
object service https
service tcp source eq https destination eq https
object service telnet
service tcp destination eq telnet
object network Main-Internet-Link
host 84.235.87.181
object network GTC-DMM
subnet 172.16.8.0 255.255.255.0
object network Mgmt
host 213.177.250.80
object network Main-Internet-Link-GW
host 84.235.87.182
object network GTC-HASA
subnet 172.16.7.0 255.255.255.0
object-group icmp-type ICMP
icmp-object echo
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object traceroute
object-group icmp-type ICMP_GRP
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object traceroute
object-group service TCP_GRP tcp
port-object eq cifs
port-object eq citrix-ica
port-object eq ctiqbe
port-object eq echo
port-object eq www
port-object eq https
object-group protocol RDP_GRP
protocol-object tcp
object-group service POP-SMTP_GRP tcp
port-object eq pop3
port-object eq smtp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object udp
service-object tcp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq sip
service-object tcp destination eq domain
service-object tcp destination eq echo
service-object tcp destination eq https
service-object tcp destination eq login
service-object tcp destination eq sip
service-object tcp destination eq ssh
service-object udp destination eq domain
service-object udp destination eq echo
service-object udp destination eq sip
service-object udp destination eq talk
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol ip_icmp
protocol-object ip
protocol-object icmp
object-group service esp-ip
service-object ip
service-object esp
object-group service ip-icmp
service-object ip
service-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object icmp echo
service-object icmp echo-reply
access-list internal-lan_access_in extended permit object-group ip_icmp object HQ-Subnet any
access-list External_cryptomap extended permit ip object HQ-Subnet object GTC-HASA
access-list External_cryptomap_2 extended permit ip object HQ-Subnet object GTC-DMM
pager lines 24
logging enable
logging asdm-buffer-size 500
logging buffered debugging
logging asdm informational
mtu External 1500
mtu dmz_ext 1500
mtu dmz_int 1500
mtu internal-lan 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any External
icmp permit 213.177.250.80 255.255.255.248 External
icmp permit any internal-lan
icmp permit 84.235.87.180 255.255.255.252 internal-lan
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (internal-lan,External) source static HQ-Subnet HQ-Subnet destination static GTC-DMM GTC-DMM
nat (internal-lan,External) source static HQ-Subnet HQ-Subnet destination static GTC-HASA GTC-HASA
nat (internal-lan,External) source dynamic HQ-Subnet interface
access-group internal-lan_access_in in interface internal-lan
route External 0.0.0.0 0.0.0.0 84.235.87.182 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
http 84.235.87.181 255.255.255.255 External
http 213.177.250.80 255.255.255.248 External
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set HO_VPN esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal aes-128-sha
protocol esp encryption aes
protocol esp integrity sha-1
crypto dynamic-map GTC-DMM 3 match address External_cryptomap_2
crypto dynamic-map GTC-DMM 3 set ikev1 transform-set ESP-AES-128-SHA
crypto map External_map 2 match address External_cryptomap
crypto map External_map 2 set peer 77.31.136.89
crypto map External_map 2 set ikev1 transform-set ESP-AES-128-SHA
crypto map External_map 3 ipsec-isakmp dynamic GTC-DMM
crypto map External_map interface External
no crypto isakmp nat-traversal
crypto isakmp disconnect-notify
crypto ikev2 policy 60
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable External
crypto ikev1 enable External
crypto ikev1 am-disable
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 172.16.1.150-172.16.1.220 internal-lan
dhcpd dns 84.235.6.55 84.235.57.235 interface internal-lan
dhcpd domain aljoaib.com interface internal-lan
!
dhcpd address 192.168.0.2-192.168.0.10 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 des-sha1
webvpn
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy GroupPolicy_77.31.136.89 internal
group-policy GroupPolicy_77.31.136.89 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
tunnel-group 77.31.136.89 type ipsec-l2l
tunnel-group 77.31.136.89 general-attributes
default-group-policy GroupPolicy_77.31.136.89
tunnel-group 77.31.136.89 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group GTC-DMM type ipsec-l2l
tunnel-group GTC-DMM general-attributes
default-group-policy GroupPolicy1
tunnel-group GTC-DMM ipsec-attributes
ikev1 pre-shared-key *****
!
class-map ICMP-CMAP
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class ICMP-CMAP
inspect icmp
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map type inspect ipsec-pass-thru IPsec_pass
description for all branches
parameters
esp
ah
policy-map type inspect sip sip_pass
description for VoIP fone
parameters
max-forwards-validation action drop log
!
11-13-2012 12:33 AM
Hi Jonathan
I try this command as well but nothing is happening either now new issue came
static ip of branch has been changed to dynamic and I configured ASA5520 HQ on dynamic, so now iam having this error and tunnel wont goes up at all.
Nov 12 20:30:08 [IKEv1]IP = 94.98.240.216, Header invalid, missing SA payload! (
next payload = 4)
Nov 12 20:30:16 [IKEv1]IP = 94.98.240.216, Header invalid, missing SA payload! (
next payload = 4)
Nov 12 20:30:24 [IKEv1]IP = 94.98.240.216, Header invalid, missing SA payload! (
next payload = 4)
Nov 12 20:30:34 [IKEv1]Group = 94.98.240.216, IP = 94.98.240.216, Can't find a v
alid tunnel group, aborting...!
Nov 12 20:30:42 [IKEv1]IP = 94.98.240.216, Header invalid, missing SA payload! (
next payload = 4)
Nov 12 20:30:50 [IKEv1]IP = 94.98.240.216, Header invalid, missing SA payload! (
next payload = 4)
Nov 12 20:30:58 [IKEv1]IP = 94.98.240.216, Header invalid, missing SA payload! (
next payload = 4)
what is it about
11-13-2012 04:29 AM
Can any one reply on this how to get tunnel up on dynamic on branch side
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide