06-21-2010 02:41 PM
Hi everyone, I am super lost at this point, please help, I cannot get a site to site VPN connection between an ASA 5510 and 1841.
Below is the output of the ISAKMP, IPSEC and Crypto Maps for the 1841
Router#show cry isakmp sa
dst src state conn-id slot status
70.33.178.164 66.160.11.132 MM_NO_STATE 0 0 ACTIVE (deleted)
66.160.11.132 70.33.178.164 MM_NO_STATE 1 0 ACTIVE (deleted)
Router#sh cry ipsec sa
interface: FastEthernet0/1
Crypto map tag: asa1, local addr 66.160.11.132
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer 70.33.178.164 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 319, #recv errors 0
local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
current_peer 70.33.178.164 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Router#sh cry map
Crypto Map "asa1" 1 ipsec-isakmp
Peer = 70.33.178.164
Extended IP access list 100
access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.11.0 0.0.0.255
Current peer: 70.33.178.164
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
ESP-3DES-SHA,
}
Crypto Map "asa1" 10 ipsec-isakmp
Peer = 70.33.178.164
Extended IP access list 100
access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.11.0 0.0.0.255
Current peer: 70.33.178.164
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
ESP-3DES-SHA,
}
Interfaces using crypto map asa1:
FastEthernet0/1
ASA 5510
Result of the command: "sh cry ipsec sa"
interface: outside
Crypto map tag: outside_map0, seq num: 2, local addr: 70.33.178.164
access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer: 71.191.130.50
#pkts encaps: 175781, #pkts encrypt: 175781, #pkts digest: 175781
#pkts decaps: 267694, #pkts decrypt: 267694, #pkts verify: 267694
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 175781, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 70.33.178.164/4500, remote crypto endpt.:
71.191.130.50/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 552987DF
inbound esp sas:
spi: 0x4FFF5AF2 (1342135026)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4373516/2107)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x552987DF (1428785119)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4373641/2107)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Result of the command: "sh cry isakmp sa"
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2
1 IKE Peer: 71.191.130.50
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 66.160.11.132
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
let me know if I should post anyting else please.
Thanks in advance
06-21-2010 02:48 PM
Hi,
According to the output:
ASA's public IP: 70.33.178.164
Router's public IP: 66.160.11.132
ASA's internal LAN:
192.168.10.0/24
192.168.11.0/24
Router's internal LAN:
192.168.30.0/24
The interesting traffic seems defined on the ASA to the 192.168.20.0/24 which is nowhere.
Please confirm the above addresses and clear the SAs and try again.
Federico.
06-21-2010 02:57 PM
The intresting traffic 192.168.20.0/24 is the second VPN connection that connects from a different address then 66.160.x.x. The intresting traffic from 66 is 192.168.30.0/24.
I noticed in my own post that the type for 66.x.x is user where the other VPN that is connected is L2L. Is that the problem?
Thanks
06-21-2010 03:01 PM
Yes,
The fact that you're seeing the connection on the ASA from 66.160.11.132 as user indicates that is landing on the dynamic crypto map instead than using the appropiate tunnel-group.
This could be because the ACL for interesting traffic is not matching on both ends.
Could you post the relevant VPN configuration from both sides (but just for this particular tunnel)?
Federico.
06-21-2010 03:06 PM
what commands do you want me to run to show the VPN config?
06-21-2010 03:09 PM
post
06-21-2010 03:10 PM
ASA:
sh run crypt map
sh run access-list NAME --> name is the ACL defined in the crypto map
sh run access-list NAME --> name is the ACL defined in the NAT 0 statement
sh run tunnel-group
sh run cry isa
sh run cry ips
Router:
sh run | i cry
sh access-list NAME --> name is the ACL defined in the crypto map
In case that you're doing NAT on the router, then copy the NAT configuration: sh run | i ip nat
From the above commands, just post the VPN configuration that pertains to this tunnel.
Federico.
06-21-2010 03:26 PM
ASA
Result of the command: "sh run crypt map"
crypto map outside_map0 1 match address outside_cryptomap_2 crypto map outside_map0 1 set peer 66.160.11.132 70.108.240.44 crypto map outside_map0 1 set transform-set ESP-3DES-SHA crypto map outside_map0 interface outside
Result of the command: "sh run access-list outside_cryptomap_2"
access-list outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
Result of the command: "sh run access-list NAT 0 I am not sure what Name to put
Result of the command: "sh run tunnel-group"
tunnel-group 66.160.11.132 type ipsec-l2l tunnel-group 66.160.11.132 ipsec-attributes pre-shared-key *
Result of the command: "sh run cry isa"
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
Result of the command: "sh run cry ips"
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000
1841
no service password-encryption
crypto isakmp policy 1
crypto isakmp key ****** address 70.33.178.164 no-xauth
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto map asa1 1 ipsec-isakmp
crypto map asa1 10 ipsec-isakmp
crypto map asa1
sh access-list asa1
nothing
Router#sh run | i ip nat
ip nat inside
ip nat outside
ip nat translation dns-timeout 180
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
Not sure if I did the access list right for ASA and 1841. The return for 1841 was blank, and the ASA returned alot. I tried to post what was relevant.
06-21-2010 03:33 PM
We need this output from the ASA:
sh run nat
sh run access-list NAME --> name is the ACL that shows under the NAT0 statement from the command above
From the router:
sh run | sect route-map SDM_RMAP_1
sh access-list NAME --> name for the ACL that shows under the route-map above
Also try this:
ASA:
clear cry isa sa 66.160.11.132
clear cry ips sa peer 66.160.11.132
Router:
clear cry isa
clear cry sa
Then try to establish the tunnel again and see the results of both devices:
sh cry isa sa
sh cry ips sa
Federico.
06-21-2010 03:49 PM
post
06-21-2010 03:52 PM
Instead of:
Router#sh access-list SDM_RMAP_1
Please post:
Router#sh access-list 101
I think that we can see the entire picture after this last post.
Federico.
06-21-2010 03:53 PM
Router#sh access-list 101
Extended IP access list 101
10 deny ip 192.168.30.0 0.0.0.255 192.168.11.0 0.0.0.255
20 deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255 (557 matches)
30 permit ip 192.168.30.0 0.0.0.255 any (2371 matches)
thanks a lot for your help
06-21-2010 03:58 PM
Let me know the results of these tests:
From the ASA can you PING 66.160.11.132?
From the router can you PING 70.33.178.164?
If both PINGs are succesful, then let's try to send traffic through the tunnel.
First clear the SAs again and...
Add this two commands to the ASA:
management-access inside
sysopt connection permit-vpn
Then, from the router do this:
ping x.x.x.x source y.y.y.y
x.x.x.x is the IP of the inside interface of the ASA (192.168.10.x)
y.y.y.y is the IP of the internal interface of the router (192.168.30.x)
Check again:
sh cry isa sa
sh cry ips sa
Federico.
06-21-2010 04:11 PM
Ok, I was able to ping each device from either other.
When I ran the command management-access inside, it returned: Please remove the management access before configure a new one
As you can see below, I was not able to ping the inside addresses.
Router#ping 192.168.10.1 source 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1
.....
Success rate is 0 percent (0/5)
Router#sh cry isa sa
dst src state conn-id slot status
70.33.178.164 66.160.11.132 MM_NO_STATE 0 0 ACTIVE
70.33.178.164 66.160.11.132 MM_NO_STATE 0 0 ACTIVE (deleted)
66.160.11.132 70.33.178.164 MM_SA_SETUP 1 0 ACTIVE
Router#sh cry ips sa
interface: FastEthernet0/1
Crypto map tag: asa1, local addr 66.160.11.132
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer 70.33.178.164 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 13, #recv errors 0
local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
current_peer 70.33.178.164 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 66.160.11.132, remote crypto endpt.: 70.33.178.164
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
06-21-2010 04:14 PM
Check this on the ASA:
sh run management
Make sure that you remove the management-access xxxxx and then add it as ''management-access inside''
Check that the internal IP of the ASA is something in the 192.168.10.x and the internal IP of the router something in the 192.168.30.x
And try it both ways:
From the router:
ping 192.168.10.x source 192.168.30.x
From the ASA:
ping inside 192.168.30.x
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide