kjorviss
asked on
Cisco ASA 5510 IPSEC disaster!
Hi Guys,
I have a ASA 5510 running 7.1.2. I use it just as a B2B VPN unit, I have NAT'd the machines on the inside that need to connect to destination LAN's to public address for uniquiness, (but do not have those address routable to anywhere on the Public Internet).
I am trying to set up an IPSEC VPN using a pre-shared key toa new client, but the tunnel keeps failing on Phase 1 Here is the output of "show crypto isakmp":
NCVPN01# show crypto isakmp
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: x.x.x.x
Type : user Role : initiator
Rekey : no State : AM_WAIT_MSG2
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 213663
Out Packets: 714
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 180
Initiator Fails: 176
As you can see there are loads of initiator fails and not much else, one thing I cannot find a defintion for is the output of the "State" field AM_WAIT_MSG2. I am presuming it is refering to the set up of the management connection.
Here is the output of "debug crypto isakmp":
Feb 27 14:07:40 [IKEv1]: IP = Remote Peer, Removing peer from peer table failed, no match!
Feb 27 14:07:40 [IKEv1]: IP = Remote Peer, Error: Unable to remove PeerTblEntry
I have spent a few hours on this now and am not getting anywhere now!
Any help is graetly appreciated.
Thanks
Kevin
I have a ASA 5510 running 7.1.2. I use it just as a B2B VPN unit, I have NAT'd the machines on the inside that need to connect to destination LAN's to public address for uniquiness, (but do not have those address routable to anywhere on the Public Internet).
I am trying to set up an IPSEC VPN using a pre-shared key toa new client, but the tunnel keeps failing on Phase 1 Here is the output of "show crypto isakmp":
NCVPN01# show crypto isakmp
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: x.x.x.x
Type : user Role : initiator
Rekey : no State : AM_WAIT_MSG2
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 213663
Out Packets: 714
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 180
Initiator Fails: 176
As you can see there are loads of initiator fails and not much else, one thing I cannot find a defintion for is the output of the "State" field AM_WAIT_MSG2. I am presuming it is refering to the set up of the management connection.
Here is the output of "debug crypto isakmp":
Feb 27 14:07:40 [IKEv1]: IP = Remote Peer, Removing peer from peer table failed, no match!
Feb 27 14:07:40 [IKEv1]: IP = Remote Peer, Error: Unable to remove PeerTblEntry
I have spent a few hours on this now and am not getting anywhere now!
Any help is graetly appreciated.
Thanks
Kevin
Michael Worsham
Can you cut/paste your running configuration?
ASKER
Here you go:
ASA Version 7.1(2)
!
hostname xxx
domain-name xxx.local
enable password xxxxxxx
names
name 192.168.12.10 Term01
name 192.168.12.11 Term02
name 192.168.12.13 Term04
name 192.168.12.14 Term05
name 192.168.12.12 Term03
!
interface Ethernet0/0
speed 100
duplex full
nameif Inside
security-level 100
ip address 192.168.12.252 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif Outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.8.0.3 255.255.255.0
management-only
!
passwd xxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
dns domain-lookup Inside
dns server-group DefaultDNS
name-server xxx.xxx.xxx.xxx
domain-name xxx.local
access-list natvpnT01 extended permit ip host Term01 host xxx.xxx.xxx.234
access-list natvpnT02 extended permit ip host Term02 host xxx.xxx.xxx.234
access-list natvpnT03 extended permit ip host Term03 host xxx.xxx.xxx.234
access-list natvpnT05 extended permit ip host Term05 host xxx.xxx.xxx.234
access-list vpntraffic extended permit ip host xxx.xxx.xxx.123 host xxx.xxx.xxx.234
access-list vpntraffic extended permit ip host xxx.xxx.xxx.124 host xxx.xxx.xxx.234
access-list vpntraffic extended permit ip host xxx.xxx.xxx.125 host xxx.xxx.xxx.234
access-list vpntraffic extended permit ip host xxx.xxx.xxx.126 host xxx.xxx.xxx.234
pager lines 24
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat-control
static (Inside,Outside) xxx.xxx.xxx.124 access-list natvpnT02
static (Inside,Outside) xxx.xxx.xxx.125 access-list natvpnT03
static (Inside,Outside) xxx.xxx.xxx.126 access-list natvpnT05
static (Inside,Outside) xxx.xxx.xxx.123 access-list natvpnT01
route Outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.8.0.0 255.255.255.0 management
snmp-server host Inside 192.168.12.7 community xxxxxxx
snmp-server location xxxxxxx
snmp-server contact xxxxxxx
snmp-server community xxxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 30 match address vpntraffic
crypto map outside_map 30 set peer xxx.xxx.xxx.xxx
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map interface Outside
isakmp enable Outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 1440
isakmp nat-traversal 30
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
ntp server 216.27.75.98 source Outside
tftp-server Inside 192.168.12.26 /xxxxxxx.conf
Cryptochecksum:xxxxxxxxxxx
: end
ASA Version 7.1(2)
!
hostname xxx
domain-name xxx.local
enable password xxxxxxx
names
name 192.168.12.10 Term01
name 192.168.12.11 Term02
name 192.168.12.13 Term04
name 192.168.12.14 Term05
name 192.168.12.12 Term03
!
interface Ethernet0/0
speed 100
duplex full
nameif Inside
security-level 100
ip address 192.168.12.252 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif Outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.8.0.3 255.255.255.0
management-only
!
passwd xxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
dns domain-lookup Inside
dns server-group DefaultDNS
name-server xxx.xxx.xxx.xxx
domain-name xxx.local
access-list natvpnT01 extended permit ip host Term01 host xxx.xxx.xxx.234
access-list natvpnT02 extended permit ip host Term02 host xxx.xxx.xxx.234
access-list natvpnT03 extended permit ip host Term03 host xxx.xxx.xxx.234
access-list natvpnT05 extended permit ip host Term05 host xxx.xxx.xxx.234
access-list vpntraffic extended permit ip host xxx.xxx.xxx.123 host xxx.xxx.xxx.234
access-list vpntraffic extended permit ip host xxx.xxx.xxx.124 host xxx.xxx.xxx.234
access-list vpntraffic extended permit ip host xxx.xxx.xxx.125 host xxx.xxx.xxx.234
access-list vpntraffic extended permit ip host xxx.xxx.xxx.126 host xxx.xxx.xxx.234
pager lines 24
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat-control
static (Inside,Outside) xxx.xxx.xxx.124 access-list natvpnT02
static (Inside,Outside) xxx.xxx.xxx.125 access-list natvpnT03
static (Inside,Outside) xxx.xxx.xxx.126 access-list natvpnT05
static (Inside,Outside) xxx.xxx.xxx.123 access-list natvpnT01
route Outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.8.0.0 255.255.255.0 management
snmp-server host Inside 192.168.12.7 community xxxxxxx
snmp-server location xxxxxxx
snmp-server contact xxxxxxx
snmp-server community xxxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 30 match address vpntraffic
crypto map outside_map 30 set peer xxx.xxx.xxx.xxx
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map interface Outside
isakmp enable Outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 1440
isakmp nat-traversal 30
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
ntp server 216.27.75.98 source Outside
tftp-server Inside 192.168.12.26 /xxxxxxx.conf
Cryptochecksum:xxxxxxxxxxx
: end
verify the pre-shared-key was entered in correctly on both ends, the acls associated with teh match address vpntraffic is a mirror of each other as well. Also, make sure the isakmp properties match up as well for encryption, hashing, lifetime, etc.
ASKER
Hi,
I am waiting for the dude's on the other end to get back to me on this, I will let you know.....
Kevin
I am waiting for the dude's on the other end to get back to me on this, I will let you know.....
Kevin
ASKER
Sorry about the delay......
The guy's on the other end had made a mistake on their end, so I can now get the tunnel up as shown below:
NCVPN01# sh crypto isakmp stats
Global IKE Statistics
Active Tunnels: 1
Previous Tunnels: 1
In Octets: 1080
In Packets: 9
In Drop Packets: 0
In Notifys: 5
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 1220
Out Packets: 10
Out Drop Packets: 0
Out Notifys: 10
Out P2 Exchanges: 1
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 1
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
But I am not sure if there is any traffic going over the tunnel! I cannot ping any of the machines on the other side that I am supposed to have access to. If I keep a ping going from a host on my side then the tunnel comes up but there is no response, if I look at teh IPSec stats I see this:
NCVPN01# sh crypto ipsec stats
IPsec Global Statistics
-----------------------
Active tunnels: 1
Previous tunnels: 1
Inbound
Bytes: 0
Decompressed bytes: 0
Packets: 0
Dropped packets: 0
Replay failures: 0
Authentications: 0
Authentication failures: 0
Decryptions: 0
Decryption failures: 0
Outbound
Bytes: 2520
Uncompressed bytes: 2520
Packets: 42
Dropped packets: 0
Authentications: 42
Authentication failures: 0
Encryptions: 42
Encryption failures: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
What worries me is that the out packets and the Authentications are exactly the same number... I do not know if this is bgecause I have messed my NAT config up or the other side have messed their routing up! I was originally told that I would have access to only one host on the remote end, but now it is an entire subnet. I have changed the config from the original posting, please find the currrent one below:
NCVPN01# sh run
: Saved
:
ASA Version 7.1(2)
!
hostname NCVPN01
domain-name xxxxxxx.local
enable password xxxxxxxxxxxxx encrypted
names
name 192.168.12.10 Term01
name 192.168.12.11 Term02
name 192.168.12.13 Term04
name 192.168.12.14 Term05
name 192.168.12.12 Term03
!
interface Ethernet0/0
speed 100
duplex full
nameif Inside
security-level 100
ip address 192.168.12.252 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif Outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.8.0.3 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 192.168.12.28
domain-name xxxxxx.local
object-group network Remote_End
network-object 10.10.6.0 255.255.255.192
access-list natvpnT01 extended permit ip host Term01 object-group Remote_End
access-list natvpnT02 extended permit ip host Term02 object-group Remote_End
access-list natvpnT02 extended permit icmp host Term02 object-group Remote_End
access-list natvpnT03 extended permit ip host Term03 object-group Remote_End
access-list natvpnT05 extended permit ip host Term05 object-group Remote_End
access-list remote_vpn extended permit ip host xxx.xxx.xxx.123 object-group Remote_End
access-list remote_vpn extended permit ip host xxx.xxx.xxx.124 object-group Remote_End
access-list remote_vpn extended permit ip host xxx.xxx.xxx.125 object-group Remote_End
access-list remote_vpn extended permit ip host xxx.xxx.xxx.126 object-group Remote_End
access-list remote_vpn extended permit icmp host xxx.xxx.xxx.124 object-group Remote_End
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat-control
static (Inside,Outside) xxx.xxx.xxx.123 access-list natvpnT01
static (Inside,Outside) xxx.xxx.xxx.124 access-list natvpnT02
static (Inside,Outside) xxx.xxx.xxx.125 access-list natvpnT03
static (Inside,Outside) xxx.xxx.xxx.126 access-list natvpnT05
route Outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.8.0.0 255.255.255.0 management
snmp-server host Inside 192.168.12.7 community xxxxxxxxx
snmp-server location xxxxxxx
snmp-server contact xxxxxxxx
snmp-server community xxxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 match address remote_vpn
crypto map outside_map 20 set peer xxx.xxx.xxx.194
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface Outside
isakmp identity address
isakmp enable Outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1440
isakmp nat-traversal 20
tunnel-group xxx.xxx.xxx.194 type ipsec-l2l
tunnel-group xxx.xxx.xxx.194 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
ntp server xxx.xxx.xxx.xxx source Outside
tftp-server Inside 192.168.12.26 /ncvpn01.conf
Cryptochecksum:xxxxxxxxxxx
: end
I am pinging a host in the subnet in the Object Group from the "name" TERM02 that has the private IP of 192.168.12.11, that machine has a static route to the inside interface of the ASA (whih works as when I start the ping it brings the tunnel up). But I need the source address of this machine to be address xxx.xxx.xxx. 124, not the private address, I think I have the static NAT and access-list configs OK.
The remote end guys have assured me that they are routing traffic from xxx.xxx.xxx.124 back to my peer, but as you can see from the show outputs above I am not reveiving any IPSec traffic back from them.
I am worried that I have messed my NAT config up and even though the tunnel is coming up, no traffic is being sent to the remote end.
Any help will greatly improve my sanity.....
Thanks
Kevin
The guy's on the other end had made a mistake on their end, so I can now get the tunnel up as shown below:
NCVPN01# sh crypto isakmp stats
Global IKE Statistics
Active Tunnels: 1
Previous Tunnels: 1
In Octets: 1080
In Packets: 9
In Drop Packets: 0
In Notifys: 5
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 1220
Out Packets: 10
Out Drop Packets: 0
Out Notifys: 10
Out P2 Exchanges: 1
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 1
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
But I am not sure if there is any traffic going over the tunnel! I cannot ping any of the machines on the other side that I am supposed to have access to. If I keep a ping going from a host on my side then the tunnel comes up but there is no response, if I look at teh IPSec stats I see this:
NCVPN01# sh crypto ipsec stats
IPsec Global Statistics
-----------------------
Active tunnels: 1
Previous tunnels: 1
Inbound
Bytes: 0
Decompressed bytes: 0
Packets: 0
Dropped packets: 0
Replay failures: 0
Authentications: 0
Authentication failures: 0
Decryptions: 0
Decryption failures: 0
Outbound
Bytes: 2520
Uncompressed bytes: 2520
Packets: 42
Dropped packets: 0
Authentications: 42
Authentication failures: 0
Encryptions: 42
Encryption failures: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
What worries me is that the out packets and the Authentications are exactly the same number... I do not know if this is bgecause I have messed my NAT config up or the other side have messed their routing up! I was originally told that I would have access to only one host on the remote end, but now it is an entire subnet. I have changed the config from the original posting, please find the currrent one below:
NCVPN01# sh run
: Saved
:
ASA Version 7.1(2)
!
hostname NCVPN01
domain-name xxxxxxx.local
enable password xxxxxxxxxxxxx encrypted
names
name 192.168.12.10 Term01
name 192.168.12.11 Term02
name 192.168.12.13 Term04
name 192.168.12.14 Term05
name 192.168.12.12 Term03
!
interface Ethernet0/0
speed 100
duplex full
nameif Inside
security-level 100
ip address 192.168.12.252 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif Outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.8.0.3 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 192.168.12.28
domain-name xxxxxx.local
object-group network Remote_End
network-object 10.10.6.0 255.255.255.192
access-list natvpnT01 extended permit ip host Term01 object-group Remote_End
access-list natvpnT02 extended permit ip host Term02 object-group Remote_End
access-list natvpnT02 extended permit icmp host Term02 object-group Remote_End
access-list natvpnT03 extended permit ip host Term03 object-group Remote_End
access-list natvpnT05 extended permit ip host Term05 object-group Remote_End
access-list remote_vpn extended permit ip host xxx.xxx.xxx.123 object-group Remote_End
access-list remote_vpn extended permit ip host xxx.xxx.xxx.124 object-group Remote_End
access-list remote_vpn extended permit ip host xxx.xxx.xxx.125 object-group Remote_End
access-list remote_vpn extended permit ip host xxx.xxx.xxx.126 object-group Remote_End
access-list remote_vpn extended permit icmp host xxx.xxx.xxx.124 object-group Remote_End
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat-control
static (Inside,Outside) xxx.xxx.xxx.123 access-list natvpnT01
static (Inside,Outside) xxx.xxx.xxx.124 access-list natvpnT02
static (Inside,Outside) xxx.xxx.xxx.125 access-list natvpnT03
static (Inside,Outside) xxx.xxx.xxx.126 access-list natvpnT05
route Outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.8.0.0 255.255.255.0 management
snmp-server host Inside 192.168.12.7 community xxxxxxxxx
snmp-server location xxxxxxx
snmp-server contact xxxxxxxx
snmp-server community xxxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 match address remote_vpn
crypto map outside_map 20 set peer xxx.xxx.xxx.194
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface Outside
isakmp identity address
isakmp enable Outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1440
isakmp nat-traversal 20
tunnel-group xxx.xxx.xxx.194 type ipsec-l2l
tunnel-group xxx.xxx.xxx.194 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
ntp server xxx.xxx.xxx.xxx source Outside
tftp-server Inside 192.168.12.26 /ncvpn01.conf
Cryptochecksum:xxxxxxxxxxx
: end
I am pinging a host in the subnet in the Object Group from the "name" TERM02 that has the private IP of 192.168.12.11, that machine has a static route to the inside interface of the ASA (whih works as when I start the ping it brings the tunnel up). But I need the source address of this machine to be address xxx.xxx.xxx. 124, not the private address, I think I have the static NAT and access-list configs OK.
The remote end guys have assured me that they are routing traffic from xxx.xxx.xxx.124 back to my peer, but as you can see from the show outputs above I am not reveiving any IPSec traffic back from them.
I am worried that I have messed my NAT config up and even though the tunnel is coming up, no traffic is being sent to the remote end.
Any help will greatly improve my sanity.....
Thanks
Kevin
ASKER
Guys,
I have run "debug ICMP Trace" while pinging a host at the remote end, this is the result:
ICMP echo request (len 32 id 512 seq 59131) Term02 > 10.10.6.1
ICMP echo request (len 32 id 512 seq 59387) Term02 > 10.10.6.1
ICMP echo request (len 32 id 512 seq 59643) Term02 > 10.10.6.1
ICMP echo request (len 32 id 512 seq 59899) Term02 > 10.10.6.1
ICMP echo request (len 32 id 512 seq 60155) Term02 > 10.10.6.1
As the "Name" Term02 is being reported and not the xxx.xxx.xxx.124 address, does this mean that the NAT is not working? Or is this correct as the packet really is coming from the private address?
I cannot find a way to see what the source address of the traffic is as it goes out the Outside interface.
I have run "debug ICMP Trace" while pinging a host at the remote end, this is the result:
ICMP echo request (len 32 id 512 seq 59131) Term02 > 10.10.6.1
ICMP echo request (len 32 id 512 seq 59387) Term02 > 10.10.6.1
ICMP echo request (len 32 id 512 seq 59643) Term02 > 10.10.6.1
ICMP echo request (len 32 id 512 seq 59899) Term02 > 10.10.6.1
ICMP echo request (len 32 id 512 seq 60155) Term02 > 10.10.6.1
As the "Name" Term02 is being reported and not the xxx.xxx.xxx.124 address, does this mean that the NAT is not working? Or is this correct as the packet really is coming from the private address?
I cannot find a way to see what the source address of the traffic is as it goes out the Outside interface.
have you installed the ASDM. It has a nice packet tracer that tells you which acls the packets are verified against, interfaces, translations, etc. Helps quite a bit in making sure everything is functioning as expected from your own end at least.
ASKER
Hi,
I have installed ADSM, but cannot really find anything on it that could be a packet tracer, the version that was installed on the workstation from the device is 5.1.....
I ran a Debug using ADSM and here is what it is showing me:
6|Mar 06 2008 11:26:25|302021: Teardown ICMP connection for faddr 10.10.6.1/0 gaddr xxx.xxx.xxx.124/512 laddr Term02/512
6|Mar 06 2008 11:26:23|302020: Built ICMP connection for faddr 10.10.6.1/0 gaddr xxx.xxx.xxx.124/512 laddr Term02/512
But I cannot find the definitions of "faddr", "gaddr" or "laddr" to try and work out whether the xxx.xxx.xxx.124 address is being used as the source address when packets are going down the tunnel.......
Thanks
Kevin
I have installed ADSM, but cannot really find anything on it that could be a packet tracer, the version that was installed on the workstation from the device is 5.1.....
I ran a Debug using ADSM and here is what it is showing me:
6|Mar 06 2008 11:26:25|302021: Teardown ICMP connection for faddr 10.10.6.1/0 gaddr xxx.xxx.xxx.124/512 laddr Term02/512
6|Mar 06 2008 11:26:23|302020: Built ICMP connection for faddr 10.10.6.1/0 gaddr xxx.xxx.xxx.124/512 laddr Term02/512
But I cannot find the definitions of "faddr", "gaddr" or "laddr" to try and work out whether the xxx.xxx.xxx.124 address is being used as the source address when packets are going down the tunnel.......
Thanks
Kevin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Does not look like 5.1 has a packet tracer.........
But now you have explained the address scheme it does look like it is using the NAT'd address....
Looks like I am going to have to dig out the SMartNet contract number and find my log in to download the new software....
But now you have explained the address scheme it does look like it is using the NAT'd address....
Looks like I am going to have to dig out the SMartNet contract number and find my log in to download the new software....